Slashdot Mirror
Students Develop Open Crypto Chip
Stuttgart students develop crypto chip
The eight head team "pg99" at the computer science dept of stuttgart university under guidance from Dipl-Ing Gundolf Kiefer has developed a complete crypto chip, which can do RSA (768 bit) and DES. With DES, with is intended for large data volumes, the chip can to 168 MBit/sec. The higher level RSA is being used mainly for DES key exchange, for authentication and for digital signatures. The chip will to ~50 keys/sec in RSA. Communication with the environment can be done via a parallel interface (8, 16 or 32 bit) or via two-wire I2C bis, which can be found on many current motherboards (Intel calls this SMB).
The 100,000 gate chip will be produced by Alcatel in 0.35 m technology (compare this to the 134,000 gates in an 80286). Officially the chip will be unveiled at the 8th of July at the computer science faculty, where the VHDL source of the design will be made availabe as Open Source.
Hang on a second here... is this chip used to actually crack DES encryption, or is it used to encrypt and decrypt information with an already KNOWN key? They way I'm seeing it, it's not a threat to DES security (although DES is already super weak) but this will allow you to encrypt and decrypt a whole lot more in stream.
Now, if they can get the chip to do triple DES at ~100Mb/s it would be slightly better.
Hmm, good point. Or four chips and quadruple DES, or five chips... hmmm... making DES secure by raising the re-encryptions. It's more feasable now that hardware like this is available.
I wonder how long it will take before someone does this.
Hello? Guys? This chip doesn't crack encryption, it just encrypts and decrypts really fast.
Some student already made a RC5 cracker in synthesizable form. He just never had a design wich could fit in the FPGA's he had available, so he couldnt try it out. :( His page used to be linked from d.net.
He seems to have finished his study and all traces of his webpage have disappeared
Yes, but the NSA has a hissy fit over DES being outside the USA. They don't like the idea of there being an encryption system around that they have to exhert themselves to break and read all those commie secrets.
Actually, quadruple DES wouldn't necessarily be more secure than triple. Double DES, for example, is _LESS_ secure than single.
And the silly USA-crypto-export laws did/can/will
prevent anybody from using crypto ?
You never noticed that laws are broken ?
Quite often , for that matter.
Knowledge about DES,IDES,RSA,you_name_it is out
in public for ages !
Wake up , people ! ( and goverments )
I wouldn't use RSA to encrypt bulk data if I were you, RSA is a "public-key" algorithm, all such algorithms are entire orders of magnitude slower than DES (or any symmetric cipher).
RSA is used to encrypt keys (like DES keys) and make signatures.
DES is actually used to crunch bulk data.
BTW... DES is dead! If you want good symmetric encryption, check out the AES submissions (the US Government's contest for a DES replacement)
DES History Lesson:
The DES algorithm was made outside the US government (I think by IBM). However, before publishing the algorithm, the NSA added several "modifications" to the S-BOX (a big lookup table) in the algorithm for reasons they refuse to discuss.
Hmmmmm..... Big Brother has probably been peeping through your DES encrypted data for over a decade now.
The German pages about this student project can be found at http://www.ra.informati k.uni-stuttgart.de/~stankats/pg99.html. More details about the various modules are provided there.
IMHO, the fashionable opinion which runs along the lines of 'cryptographic algorithms exist outside the US, therefore it is pointless for the US govt to attempt to restrict the export of cryptographic products' is naive and arrogant. Do people really think that the US govt is so stupid as to believe that export restrictions will completely deny the rest of the world strong cryptography (SC)? Surely not. The point is that they are trying to make it HARDER for the rest of the world to get SC than it would be without US export restrictions. Just because you can't stop something entirely doesn't mean that it's pointless to stop some of it (war, drugs, landmines, pornography, murder, litter, cryptography). The harder it is to get SC, the less it will be employed. Thus life is easier for the NSA. The less it is employed, the more prominent are strongly encrypted communications. Thus life is easier for the NSA. Sure, maybe some day we'll all be using SC and strong steganography and the NSA will be frustrated. But I'm not holding my breath.
I guess this is interesting because it's Open Source, but nCipher has been making chips that do 300 RSAs/s. 3Com recently announced an Ethernet card with a built-in crypto processor that does 3DES and TCP segmentation/reassembly/checksumming. They claim that using IPsec and this card results in no network slowdown, so presumably it can encrypt and decrypt at 100Mbps.
For just DES, At 0.35u, 100k gates would be on the large side. Single DES at 132mbit/s, possibly even 264Mbit/s should be doable in less than 20K gates. Probably a large part of the 100K gates are consumed by the RSA part of the design
N*able has some good stuff.
Smartcards have a use when used with a 'secure" reader ie tamper evident, and keypad to ensure PIN/password protected from the workstation operating system. Tamper-evident designs should reduce DPA attacks, while removing the card now and again reduces the number of samples DPA requires to be effective. Then of course, using a different symmetric key (DES-like) for every message is even better - but wait, that requires innovative key management (not necessarily PKI, however)
Of course, PKI in a smartcard is like fitting a lounge chair to a bicycle - the entire available machine power can barely cope with moving itself, let alone achive anything useful.
The point is that they are trying to make it HARDER for the rest of the world to get SC than it would be without US export restrictions.
Naive in the extreme. Restrictions on plutonium makes sense by that argument, because each time I need more plutonium I get more trouble. Software however is easily copied, so I would only need to smuggle it once. If I need more crypto after that I merely pirates what I already have.
And smuggling software is sooo easy. Just mail it out, email or diskette. Blatantly illegal, but uncatchable. The chinese pirate other software, pirating strong crypto too is just as easy.
Nothing to do with export control at all. PGP is available world wide strong crypto. It's interoperable and there's nothing the US government can do about it. It integrates into all the popular mail clients.
The reason crypto isn't used by default is the problem in deploying a safe infrastructure that's also convenient for everyone to use. Everyone has their own trust models they want to use, different views on how key managements systems should work, etc. It's going to be a long time yet before we get the environment we need for safe knowledge transfer across the Internet to 3rd parties.
Decrypting really fast is one method of cracking encryption, called the 'brute force' method. It is a generic method and assumes the worst case that the you know of no weak keys or any weaknesses in the algorithm or its implementation.
You know the key is somewhere between 0 and 2^52 (if it's a 52-bit symmetric key), so you try decrypting with a pass key of 0, then 1, 2, 3... until you finally hit the right one.
If the US had better crypto than everyone else, that could be a valid national-security basis for forbidding its export. We don't, of course, and I'm not aware of any other legitimate reasons to do so. I think the actual motive is indeed to interfere with widespread use by people who are not under criminal investigation, but that's hardly justifiable.
The laws don't even have to be broken. PGP/NETA exported source for a recent version of PGP legally, as a printed book that happens to be easy to OCR and verify (one of their few good decisions in years). Even US judges realize these restrictions aren't constitutional, once you frame the argument in terms of dead trees.
DES was never really broken, it's just a little to easy to brute-force, and triple DES takes care of that. The key size (112 bits) is pretty good, and security professionals are *very* confident in it after so much analysis. It's important to be conservative about adopting new algorithms that haven't been head-butted by the really smart folks.
If the context switch between RSA and DES isnt prohibitive you could send a new key via RSA a couple of times per second without breaking a sweat.
Firstly, and off-topic, no one in their right mind outside of Lower Slobovia thought the earth was flat. That's why the ancient Greeks (Aristhosthenes? Pythagoras?) were able to estimate the circumference of the earth to within a couple of kilometres using simple trigonometry.
The fact is that people's outlooks change. We /think/ that people thought the earth was flat, and now it's a general assumption - but untrue for the large part. No one thought to write in the inalienable right to privacy in the US' Constitution because no one ever tried to take it from them. It was a part of their lives, and no one would have *use* for these things.
In this day and age, privacy becomes very important -- and yet, the US is trying to take it away from the entire world - especially its citizens - with projects like ECHELON. It's about time that their constitution got changed to make privacy a right, the same way they have the inalienable right to bear arms (another thing which has changed over the years. "I have to defend myself against the King of England!" (Sorry, don't remember the exact quote from the Simpsons.))
A stream cipher like RC4 can encrypt and decrypt data faster than you can read it from your hard drive. A modern processor can do a public key operation in fractions of a second. Few applications need public key crypto, perhaps only very heavily loaded secure servers. Almost no-one needs secret key (eg DES) in hardware: maybe only routers.
For most of us, such a chip wouldn't make anything we do noticeably faster or more secure.
--
Employ me! Unix,Linux,crypto/security,Perl,C/C++,distance work. Edinburgh UK.
Xenu loves you!
Whoops, of course millions of things need public key, but they don't need hardware acceleration. Damn those thinkoes.
There's special hardware designed to keep your secret keys more secure, now, but that's a different matter.
--
Employ me! Unix,Linux,crypto/security,Perl,C/C++,distance work. Edinburgh UK.
Xenu loves you!
// RANT_START
i know...the NSA is so fsckin paranoid that i guess they think the commies are gonna take our Top Secret secrets... GET OVER IT, NSA...there IS no privacy and security anymore, of anyone, they should know this well. The USA still has a butt load of nukes, so what the hell are the spooks afrad of?
// RANT_END
"There is no spoon" - Neo, The Matrix
The way I am reading this is that this device will be designed to [(en)(de)]crypt data transmitted via any type of communication link. This would work very nicely with a cellular/wireless communication link. [(en)(de)]crypttion can then be done in hardware in real time saving much valuable CPU resources. It could also be used for VPN's in the near future as better security.
While this chip is cute, and smartcard manufacturers have been making strides in putting good crypto functions into the cards, there is the big dark cloud of differential power analysis hanging over their heads that they have not dealt with yet. Basically a determined attacker can rip the secret keys from smart cards in a _very_ short period of time by observing power draws while the card is in use (i.e. the old "one" uses more power than "zero" problem.) Until this problem is dealt with anyone who uses a smartcard for crypto is just adding features for a marketting brochure and not adding any real security.
This sure flys against RMS's article
of just two days ago! He was saying
that he didn't see it as reasonable
to GPL hardware cause it's too
expensive.
Well - what about GPLing the DESIGN!
Sheesh
All the more power to these guys..
Steve
Have you compiled your kernel today??
What's stopping you from having three of these chips, do to Triple DES at the full rate that one chip does DES?
(Ok, other than cost and board real-estate...)
--Joe--
Program Intellivision!
Now that gives me the privacy heebee geebees. (Someone, go moderate up the parent to this post.)
I hope that anonymizers start playing a more prominent role in such a society, otherwise requiring cryptographically strong signatures on everything will become a rather effective tool for oppression.
Of course, such a system will only really work if people protect their digital signatures much better than anything else they currently protect. For goodness sakes, our ATM accounts are protected by a 4-digit PIN, and my credit cards are protected by my mother's maiden name. *sheesh* Then again, if we're forced to use biometric data gathered with standardized, regulated machines in order to generate digital signature data, a digital signature is as good as or better than a fingerprint.
--Joe--
Program Intellivision!
Well, the device does DES and RSA, implying there's alot of good communications infrastructure, and that the encryption cores themselves are largely decoupled from the rest of the design. At least, that's what I'd hope they did, since it would make the part more valuable overall: You could plop the encryption cores into other chips that had different communication requirements easily, and you could drop different encryption cores into this chip easily.
If that's the case, then we can reuse all the communication bits, and replace the DES core with an RC5 key-crunching core. This is alot like the way d.net clients share the most of the same block management and network communication code between the DES and RC5 cores it has internally -- the key cruncher is actually a small (yet very important) part of the overall problem.
Ah, isn't 'open source' fun?
--Joe--
Program Intellivision!
The natural question for many /.'ers that also participate in distributed.net is whether or not this will be useful for crunching keys.
I'm guessing, in it's base form, the device is tuned for (en|de)crypting large volumes of data with a fixed key, and that key reloads are expensive. Translation: It won't help a d.net-style keysearching effort much as-is.
Does anyone have more information on this to confirm or deny this conjecture?
Also, is anyone out there crazy enough (and skilled enough w/ VHDL) to hack this device into the world's fastest RC5 block cruncher? :-) Places like MOSIS will fab "educational" and "prototype" designs in small quantities for reasonable prices.
--Joe--
Program Intellivision!
I don't think anyone in the US government actually thinks that only the US has good crypto and that export restrictions really limit the availability of strong crypto outside the US.
They may appear to act dumb at time, but this is a result of politics, not stupidity.
Export restrictions are actually working very well to limit the widespread acceptance of interoperable encryption standards. Without export restrictions we could have had most traffic encrypted as the default option by now.
This is done using the technology export regulations because that's the tool they have. If they didn't have that they'd find some other way to do it.
Stop worrying about the risks of nuclear power and start worrying about the risks of not using nuclear power.
I think instead of uncle sam ther should be big brother sam :)
Kaoslord [quote goes here] define("slashdot purity","67.5");
Ha!!! I finished it in 3 days. Of course, in order to read about 300 pages a day I had to ignore my bladder's pitiful pleas for me to visit the restroom.
Scuttlemonkey is a troll
> But what WILL happen when all of our
> transactions and communications can be
> encrypted? Interesting question...
Then we will be able to enjoy the kind of privacy our great-grandparents took for granted. The kind of privacy the founding fathers of the United States took as a given, so much so that they (unfortunately) didn't bother to explicitly write it into the constitution, even though other amendments (such as the fourth) clearly imply that such privacy was simply a fact of life, like getting up in the morning and feeding your horse.
Chips like this may or may not usher in a new age where levels of personal privacy return to the level they were at a few decades ago, but at least they'll require that the spooks do a little work (hopefully hard work) whenever they feel compelled to violate ours.
The Future of Human Evolution: Autonomy
So when will this headline become standard? I think having a computer with a powerful large bit crypto chip could be convienent.
Yet more evidence that the U.S. Gov't's policy on export control of crypto products is obsolete. Sorry spooks, its already overseas, and its well known enough that students can even put it in hardware. Give up already.
Are you implying that you've already finished that giant?!
One day... and that was after an all-night rave. Now I'm just waiting for his next book, containing the two subplots he couldn't add in due to book size restraints, to come out so I can have some real time reading again.
Here's a working link to the article.
--The more you know, the less you know.
I don't think the government is even worried about not being able to read other countries' messages. I think they're much more concerned about not being able to monitor communications in the US. With all this Echelon stuff lately you have to wonder if they're more interested in spying on their own country rather than other ones. They can already listen to our phone calls any time they want to, so i'm sure they want to continue to be able to read our email if they want to also. What a buncha crap. I think everything should be encrypted. Believe it or not there are things that are none of the government's business.
Bastards.
-=Cozmo=-
NOTHING the government can do will prevent other countries from using crypto. You will never be able to keep chips like this out of the hands of the "bad guys" (any country other than our own, and including our own). There is nothing you can do about it. I can't believe the US is trying to control the crypto in other places. They have as much right to use it as we do. The US gov. gets so pissy sometimes its unreal.
Does anyone know how large a chip like this would be? It seems like at .35 with 100,000 gates it would be relatively tiny. So we should be able to fit 50+ of these on one PCI card. Have one 16 bit microcontroller + 16k ram on it. You should then be able to sell the PCI card and write a tiny driver to send/receive data from it. Or maybe combine 15 of these at a time on one chip and pop 4 of the chips on a PCI card, whatevers more economical. This would make an interesting card to pop in your slot. I've been wondering what to put in my last empty PCI slot...
The Cryptonomicon is almost here. Neal, I thought you wrote Science "Fiction".
Ever since reading that, I've been getting more and more paranoid with my communications. I applaud these efforts.
Oh yeah, gotta be careful with those Crypto exports... (snigger)
But what WILL happen when all of our transactions and communications can be encrypted? Interesting question...
It's a thankless job, but I've got a lot of Karma to burn off
The point of a chip like this is to have authentication happen on secure hardware, not an insecure host. This is useful in a lot of applications, especially smart card readers.
For example, monetary transactions - your smart card holds your key and the smart card reader does all of the authentication and sends a signed request to the merchant. That way, you don't have to worry about credit card numbers flopping around all over the place. The transaction takes place between your card and the vendor.
Another possible use could be for logging in - no more worrying about passwords because you can sign in with your key (stored on the smart card) and pin number.
Besides, we in America already have cool stuff like this. Check out http://www.nabletech.com and their N*Click chip
Invidia fortunum ovit.
Europe doesn't need crypto if we keep speaking french :)
nosig today
Anyone know where I can find an English translation of this article.
Project Echelon basically involves series of discreet listening posts placed world wide. These listening posts are capable of intercepting Infared signals, Radio Waves (RF Transmissions, ie cordless phones), ANYTHING sent via telephone lines (land lines, or cellular based)...
In short, they basically listen in on anything we can do, crypto or not...
On a side note, we all remember the Clipper Chip, right? The one that the NSA banned because they couldn't crack it, and the designer wouldn't allow the NSA to "put a back door in.. for the interests of National Security."
That is the whole point of brute-force attack against cryptosystems!! You only need a system which is capable of decrypting a given ciphertext with a given key. Therefore this chip DOES crack encryption. The EFF used a similar setup to crack DES, too.
I don't believe NSA will give a damn about this student project. With today's technology, DES is a joke anyway. It is a good algorithm if you have something to hide from your brother in the high school. I also don't believe that NSA will give a damn about any chip that encrypts/decrypts publicly available algorithms-designing a chip is not very difficult nowadays if you know a bit or two about FPGAs and hardware description languages.
However, if you find a way to crack these algorithms WITHOUT using a brute search, and publish it; expect a black helicopter from NSA on your backyard very soon.
Zigbee Central: A Zigbee weblog
Some of the information in the article may be a little bit misleading (what one person says, the second understands and the third person translates from german into english... ;-) ). So let me try to clarify some things:
1. We (or Alcatel) are currently not planning any high-volume fabrication of the chip. What the students have designed until now is a gate-level netlist based on an Alcatel standard cell technology. The design is now being simulated thoroughly. The next step may be to get a few prototypes fabricated for educational and research purposes.
2. The Intel 80286 processor has got 134,000 transistors (not gates!). The crypto chip has got a complexity of about 100,000 gates which corresponds to approximately 400,000-450,000 transistors. This number is comparable to the Intel 80386 processor (275,000 transistors).
Some remarks on/answers to previously asked questions:
- The estimated size of the chip is 10mm.
- The DES part is in fact optimzed for en-/decryption and not for crunching keys: DES keys are loaded using RSA encryption which is comparably slow.
Gundolf Kiefer
The NSA is not going to be happy about this chip. If you set up a network based on this chip in the NIC ...
so much for my packet sniffer...
watch the US bans the chip as a "threat to Natinal Security".
8)