INDIVIDUAL

MIDTERM PRESENTATION REPORT

ON
CRYPTOPROCESSOR DESIGN

PRESENTED
BY
VENKATESH YARLAGADDA
CWID:893345710

What is Crypto Processor ?

Crypto processor is a dedicated computer/microprocessor on a chip for carrying
outcryptographic operations. The crypto processor acts as a keystone for the security subsystem. These crypto processors are further developed as smart cards. The secured crypto
processor are widely used in the systems such as Automatic teller Machines, TV set-top boxes
and military applications.
The trusted platform module is an implementation of the secure crypto processor. Security chips
for embedded system are also available that provide the same level of physical protection for
keys. These are often referred to as cryptographic authentication devices. Hardware security
modules contain one or more crypto processors. These can have multiple levels of physical
security with a single chip crypto processor. The crypto processor does not reveal keys. The
crypto chips may also be potted in the security module with other processor and memory chips
that stores and encrypt the data.
A crypto processor is a physical tamper-resistant embedded processor. It is used to communicate
with a conventional mainframe and to perform set of cryptographic operations. These are used by
web designers to protect the Secure Socket layer keys. The latest applications of tamper-resistant
processors are in Digital Rights Management.

Uses of Crypto processor?

The crypto processors are used in the micro controllers at low cost. Many applications such as
remote key entry use shared key cryptographic algorithm such as triple-DES and AES. Public
key crypto processors are used in the web to reduce the traffic. These crypto processors are
widely used in the military applications. Modern military cipher machines not uses classified
algorithms in tamper resisting chips but also uses crypto ignition keys to transport initial key
value.
Trusted computing are designed to embed the crypto processor on the new technologies. In ATM
the cryptographers are widely used in the killing application. These are used in the
communication links to secure the data in it. All the crypto processors are equipped with tamper
resistant devices. These are used to protect the IP address and these are used for the secured
purpose. We can use simple storage devices to secure the data by using crypto processors.
Encryption is provided by other equipments where cryptographic algorithms are used to protect
encrypted data. The power consumption and performance of the systems are good by using the
crypto processors. These can be implemented on the hardware as well as on the chips. These
provide more comfort.

History of Crypto processor:

The word Crypto processor is derived from the Greek work krypto means hidden and
graphia meaning writing.The combination of cryptography and tamper-resistance were firstly
used in the military. These are used for protecting the ATM networks. In 70s IBM have
developed a system for authenticating customers to ATMs. These were used in the nuclear
weapon arming and communication hardware. In the earliest crypto processor was IBM 3848
and used for ATMs and mainframe computers. These are recently used in the GSM sim cards
and smart cards. The crypto processors are used in the cartridges, game collectors and car
electronics.

Design and design considerations:

Design of the crypto processor involves the performance, management, availability and cost
characteristics.
Availability considerations:
Clustering Encrypting devices:
This method is used to ensure protection against hardware failure. There are two ways for
method encryption algorithm.
The high availability clusters provide hardware redundancy for the encryption devices. The Data
Encryption Devices are used to share the keys between two or more encryption devices.
Dual sites:
There are two production sites. One is the primary production site and secondary disaster site.
These are used to encrypt the data. If the data is encrypted at the primary production site it will
not be encrypted at the other end.
Redundant Key Vaults:
Key vaults can also be configured in a clustered configuration to provide redundancy. These
must be located at two different specifications in order to provide maximum redundancy.
Performance Considerations:
Deduplication and compression with Encryption:
Encryption does not co-exist with deduplication and compression. The compression application
looks for the pattern of data, white spaces are optimized by the compression algorithm.
Encryption randomizes data and converts white spaces into random combination of 0s and 1s.

Cost considerations:
The cost of the system depends on the availability, performance and simplicity of management is
increased. In order to reduce the cost of the system device we need to develop a single
encryption device in dual fabric configurations.
Other Considerations:
Virtual Host considerations:
Virtual host have become ubiquitous in enterprise data level considerations. Virtual host are
assigned a unique virtual WWN that is different from the physical server. VM ware offer two
methods of presenting storage to the VM:
VMFS: Virtual Machine File System via data storage
RDM: Raw device using Raw device mapping.
Families of Crypto Processor:
Double Encryption:
The process of encrypting the already encrypted data once or twice using same or different
algorithms is known as double encryption. This is also known as multiple or cascade encryption.
It is used to protect the data and system. These have dedicated crypto blocks to encrypt the data.
Through this the throughput increases the amount of data that passes through the system
increases.
FPGA Implementation:
Towards achieving high security is provided by the cryptographic algorithm. It is flexible and
allows efficient algorithm operation and provides ASIC implementation. This very fast and low
power consumption.

Double Encryption:
This type of crypto processor protects the program running the data. Here the data and process
are encrypted. All the information is decrypted within the security of the processor and then
encrypted before the memory storage or input/output transmission. A barrier of encrypts and
decrypts are in between the processing elements, data elements and input-output elements.

Processor with Double Encryption:

New Section for key management

Keys may be hardwired in (externally loadable)
Hardwiring in the keys generally allows them to be zeroed
Hardwired keys are generally not visible to the outside world under any
(reasonable) conditions
There is both a secure and a non-secure I/O channel
The strength of the security in the processor is directly dependent on how well
these two channels are isolated
The easiest place to attack would be at this point of isolation

Results in data transactions being monitored in the clear

Architecture of Dedicated Crypto Blocks:

CRYPTOPROCESSOR IMPLEMENTATION IN FPGA:

FPGA stands for FIELD PROGRAMMABLE GATE ARRAY.This is an alternative to a
custom design for a high end custom design mask set is expensive.
Used for speeding up cryptographic processing
Flexibility allows for system evolution
Algorithm agility for security protocols
A must to become commercially viable
Allow complex arithmetic operations that general CPUs cannot perform efficiently
May be more cost-effective solution than VLSI/ASIC
Modifications can be made with ease

ADVANTAGES:
It is very easy to design the gate level design and it is fast time to market ie no manufacturing
delay.It can also be used more like software which can fix design errors over time.

DISADVANTAGES:
This is very expensive the unit cost is more higher and it is also inefficient slower and more
power hungry.

PERFORMANCE OF FPGA:
The performance of fpga is mainly based on the following things:
Emphasized in literature
Less common in practice

 Strengths
500x speedup
50% power reduction
Significant improvements over standard processors
Modular arithmetic, bit level manipulation
Uncommon length bit-vectors
Point multiplication performance comparison
66MHz FPGA: 0.36ms
2.6GHz dual-Xeon: 197ms

CRYPTOPROCESSOR ASIC:
ASIC is a function which is used in cryptoprocessor to faster the devices and to decrease the
power the main advantages can be seen in below table.
Optimized ASIC compared to FPGA performance
4x faster
97% area reduction
93% dynamic power reduction
May be unrealistic to see these gains
High volume applications
Speed necessary applications
e.g. network routers
Low power applications
e.g. RFID devices

Design comparision between FPGA and ASIC:

PARAMETERS

SOFTWARE

FPGA

ASIC

PERFORMANC
E

LOW

MEDIUM

HIGH

POWER
CONSUMPTION

DEPENDS

VERY HIGH

LOW

LOGIC
INTEGRATION

LOW

LOW

HIGH

TEST
DEVELOPMENT

VERY LOW

VERY LOW

HIGH

DENSITY

HIGH

VERY LOW

HIGH

SIZE

SMALL

MEDIUM

LARGE

TIME TO
MARKET

SHORT

SHORT

HIGH

ATTACKS ON CRYPTOPROCESSOR DEVICE SETS:

In olden days ie.. in early 90s security was very minimal in devices .Due to this there
has been many simple attacks performed on the cryptoprocessors,some of the
techinques are clock signals ,voltage glitching and uv light etc.Many valuable
applications has been attacked by these simple techniques.Soon enough the need for
security has been changed .Like smart cards in tv applications ,and the attackers are
forging these cards also for there benefits to watch free and the manufactures ,
Manufacturers introducing security chips for accessory vendors to pay a royalty.
Strong incentive for vendors to reverse engineer security chips and triggered arms
race between attack and defense.
ATTACKS ARE DUE TO THESE FOLLOWING ISSUES:

Weaknesses are found in implementation

More vulnerable than the algorithm

Analyze the attack surface

The set of physical, electrical, and logical interfaces that are exposed to potential
attackers
Four classes of attacks

 Invasive
Non-invasive
Semi-invasive
Remote attacks
Now let us discuss about these attacks:
Invasive Attacks:
Involve direct electrical access to internal components of crypto processor
Example: drilling into passivation layer and micro probing
IBM 4758 interior has been exposed in figure below.

Non-Invasive Attacks:
Observing or manipulating devices operation without breaking through packaging
Examples:
Power analysis of processor and correlating to computations to deduce crypto
keys
Glitching
Below graph shows the instruction fetch and processing,

SEMI-INVASIVE ATTACKS:
Involve access to the chips surface but doesnt require electrical contact or penetration of
passivation layer
Examples:
UV light allows attacker to read memory contents
Fault injection attacks
Low cost probing workstation using photoflash
Light causes transistor to conduct. Then able to set or reset any bit in SRAM
Below is the physical type photo flash device which is used to attacks devices.

REMOTE ATTACKS:
Not necessary to be near chip, just need to intercept encrypted traffic
Two well known attacks but arent specific to crypto processors
Cryptanalysis and protocol analysis
API analysis: specific to crypto processors

Top level s/w that governs its interactions with outside world

an unexpected sequence of transactions which would trick a security module

into revealing a secret in a manner contrary to the devices security policy

DEFENCE:FULL SIZE VS SMART CARDS:

Full-size: has many critical advantages
Glue logic
Large capacitors filter signals from external connections
Large enough for tamper-sensing barriers
Internal power supply allows constant monitoring
Smart cards

 Short in sensor mesh causes self-destruction

Unpowered most of time , chip doesnt know its being tampered with
Glue logic

ATTACK ON IBM-4758 :
IBM 4758 is a cryptographic coprocessor which is used to hold the keys in banking security
systems .It is a high securied processor with out the perfect key we can open but this has been
hacked by using a simple fpga technique.
Rated at highest level of tamper-resistance
Certified at FIPS level 4, highest available level
Requires two security officials to update keys
Remote attack
Weakness in security protocols
A single official was able to learn all the keys
Took advantage of key handling routines to generate a key exporter
Only needed
20 minutes with device
Standard $995 FPGA
About 1 day of cracking time

4758 CCA
KEY IMPORT ATTACK

One of the simple attack has been performed on 4758 an unauthorized type cast using ibms preexclusive method.A typical case would be imporing a PIN derivation key as a data key,so
standard data ciphering commands could be used to calculate PIN numbers or to import a KEK
as a DATA key,to allow eaves dropping on future transmissions .The key import command
requires a KEK with permission to import the encrypted key to import .Attacker must have
necessary authorization in his acces control list to import to the destination type,but the original
key can have any type.with this attack all the in formation shared by another crypto processor is
open ro abuse,more suntle type changes are worthy of mention ,such as re-typing the right half of
a des key as a left half.
These are the key import attack keys,

Key Hierarchies:
Storage of large number of keys becomes necessary when used between multiple users for
enforcing protection. This is the common storage method and it provides effective key sharing.
Access can be granted to the key set by providing grant to the next level. By keeping the top
level keys in the tamper proofed environment we can increase the storage level capacity of the
crypto processor. The top layer contains master keys, the middle layer contains the transport
keys, the bottom level working keys and session keys together known as operational keys.
Ovals
representKEYS

MasterKey

Rectangles
representTYPES

Master
Keys

KEKMK

Transport
Keys

Operational
Keys

User
Data

DATAMK

KEKs

Incoming

SharedData

Outgoing

SharedData

WorkingKeys

UserData

Unauthorized Type-Casting:
Some type-casting is an unauthorized as the designer does not want it to be possible. In some
architecture it is not possible to judge whether the type-caste is a bug or a feature. If type-casting
is possible it should be regulated at all the stages by the function of access control. If the crypto
processor does not contain internal key structure it will not difficult in deleting the keys. If the
crypto processor lost the encrypted version key then it cannot prevent an attacker in saving his
own copy. By changing the master keys at the top of the hierarchy the deletion of the keys can be
effected.

Attacks on the NSM:

The VSM is a crypto processor designed to protect the PIN numbers at ATMs and banks.
The NSM is a software compatible clone.
The VSM has two states which are enabled by PIN. The two states are the User and the
Authorized. The NSM performance is increased by splitting the authorized states into two. They
are the Supervisor and Administrator. The User state is used to verify the customer PINs in
number of ways. These also contain transactions to permit key generation and update for session
keys. The supervisor state is enabled only upon special controls. Administrator authorization
allows us to generate high level master keys.
Terminal Master Keys are used in ATMs. Pin keys are used to convert the account number into
pin numbers. The 4-digit pin entered by the customer is calculated by the publicly available
algorithm. The TMKs and the public keys occupy the same type in the VSM.
Zone Control Master Keys are used to protect the exchange of working keys.
Working keys are used to protect the trail PINs entered by the customer.
Terminal Communication Keys are used for protecting the information that is going to and from
the ATMs.
All keys sent to ATMs are protected by TMKs.
There are two extra types. They are RAND and CLEAR.
RAND is can be thought of a source of a unknown random variable.
CLEAR is a source of customer chosen value.

Master
Keys

ZCMK

Transport
Keys

ZCMK

Op.
Keys

ZCMK_I

WK

TC

TMK/PIN

LP

TMK/PIN

User
Data

WK

TC

TMK_I

WK_I

TC_I

LP

Attacks on the IBM 4758 CCA:

The Common cryptographic Architecture is a standardised transaction set. It is implemented in
most of the IBMs financial security products.
This is PC-Compatible cryptographic coprocessor. Control over the transaction is flexible. Roll
based access control is available.
The transaction set is large and complex.
The CCA stores all the keys in the encrypted format outside the Crypto processor. It has single
168 bit master key at the root of its key hierarchy.
Control vectors are used by the CCA to hold the information.
A Control vector is a synonymous with a type and is bound to encrypted keys by XOR rings .
KM

Master
Keys

Transport
Keys

Op.
Keys

User
Data

MAC

MAC_I

KMxIMP

KMxIMP

IMPORTER

EXPORTER

PIN

PIN_I

DAT

DAT_I

MAC

MAC_I

PIN

PIN_I

KMxMAC

DAT

DAT_I

MAC

MAC_I

KMxPIN

PIN

PIN_I

KMxDAT

DAT

DAT_I

REFERENCES:
http://www.cl.cam.ac.uk/~mkb23/research/Survey.pdf
http://en.wikipedia.org/wiki/Secure_cryptoprocessor
http://www.brocade.com/downloads/documents/best_practice_guides/encryption-bestpractices.pdf
http://ieeexplore.ieee.org/xpl/login.jsp?tp=&arnumber=6815431&url=http%3A%2F
%2Fieeexplore.ieee.org%2Fxpls%2Fabs_all.jsp%3Farnumber%3D6815431
https://www.cis.upenn.edu/~milom/cse372-Spring06/lectures/02_fpgas.pdf