August 18, 2008
Blood Sport – Securities & Security
Please note that contributed articles, blog entries, and comments posted on EDACafe.com are the views and opinion of the author and do not necessarily represent the views and opinions of the management and staff of Internet Business Systems and its subsidiary web-sites.
Some standards have robust security built in, which protect third-party multi-media - things like HDMI [high-definition multimedia interface]. WiMax also has a security scheme similar HDMI for building security requirements into the hardware, and
Blue-ray as well. All of these things take security very seriously at the silicon layer, because that's where you need to store sensitive information that's fundamental to how the system works.
Brian Neill - A lot of security standards have licensing bodies or are proprietary. HDCP [High-bandwidth Digital Content Protection] is licensed by Intel, for instance. When you license a technology - say HDCP or AACS [Advanced Access Content System] for Blue-ray - the licenses say data will be secure, both in the field and while the device is being manufactured.
But it's pretty common knowledge that when you're using subcontractors in Asia for manufacturing, those subcontractors haven't signed the license, so it's up to you to make sure your subcontractors are complying. Or, it's up to us here at Certicom [working on behalf of our customers] to be sure that all levels of security are being honored.
Peggy Aycinena - Clearly, there's a lot of motivation and market pressure to get these security issues under control. What are you guys contributing?
Craig Rawlings - Kilopass provides secure storage in the chip in the silicon layers, in the physical layers.
Brian Neill - And Certicom's role is to get that secure information into the chip during manufacturing at the factory.
Craig Rawlings - We call this front-to-back security. The front-end from design, and the back-end from manufacturing. Our two companies are joining forces as strategic partners to set the stage for what we're about to tackle.
Peggy Aycinena - I'm lost again. What data are we securing here?
Craig Rawlings - We have all these sophisticated locks, encryption schemes that provide an incredible lock. The problem is, you can have the greatest lock on the front of the house and still have to leave the key somewhere. In our case, these keys are stored in non-volatile memory, [which is retained even] if the power's taken away.
In the past, that's been a hard drive, or masked ROM, or a data stick. These traditional non-volatile memory technologies are relatively low cost, but they're not physically secure. In a hard drive, for instance, you can scan it magnetically to get the information off of it. Attackers are very sophisticated these days and have figured out how to go for the key first. Then, everything else in the security scheme falls apart.
Peggy Aycinena - So we're talking about securing the key?
Craig Rawlings - Yes, we're specifically talking about the storage of encryption keys for protecting media that's distributed through the HDMI interface, the standard for communicating or distributing information between different types of multi-media equipment.
Kilopass has a high-density NV memory technology that's built into standard logic CMOS. You don't need to store the key information in an external device in this case, because it's built into the physical layer during the manufacturing process. High-density memory keeps the costs down in terms of die area, and therefore makes a great storage facility for the key.
Our technology is based on an anti-fuse, where we're actually hiding the key information amidst the atoms of silicon. It's like looking for a needle in a haystack to find the key, unless you know where to look, because it's based on randomness. This makes the memory, and the key stored there, very secure from all types of attacks - passive attacks, semi-invasive attacks, and invasive attacks.
Peggy Aycinena - Can you define those categories of attack?
Craig Rawlings - Passive attacks are done electrically without looking inside the chip. You can determine what's in there by giving stimulus to the device and seeing how it responds.
Semi-invasive attacks may involve doing things environmentally or through modest physical attacks -breaking the device open and looking at it under a microscope to see what's in there.
Invasive attacks are deep attacks. Some people use microprobes. They can even attach a wire inside of the chip, but they have to have a big budget for the very fine equipment needed to do that. Basically everything's hackable.
Peggy Aycinena - And everybody has a price, which really guarantees that everything's eventually hackable, even hardware.
Craig Rawlings - Yes, everybody has a price. But we want [to set the price very high], to force them to have a lot a money and a lot of resources [to do this work]. We don't want to have to worry about some teenager in Sweden breaking into a standard that protects data.
Peggy Aycinena - Couldn't you just hire those Swedish teenagers?
Brian Neill - Maybe, but they'd need a business plan. [Laughing]
Craig Rawlings - Or, we could force things down into the silicon layer where it's a lot harder to attack, so no kids or adults will be successful at breaking the standard. Also, if it requires somebody with a Ph.D. to understand the technology, [we're in better shape from a security point of view].
Peggy Aycinena - I'm not sure all hackers are really unethical. Maybe they just see it as a challenge, a puzzle to be solved.
Craig Rawlings - Yeah, a lot of teenagers are probably just mischievous, but we're not just looking at key storage as an application for the Kilopass technology. We're also looking at design IP protection. We live in a very global marketplace, IP protection is not equal across all borders, and legal protections aren't as compelling as they used t be. We all know that if you don't protect innovation - which is what IP is all about - innovation comes to a screeching halt.
Peggy Aycinena - How did you guys find each other?
Brian Neill - We were both looking on Google for something like the other guy had. When we saw that our two products are distinct, but co-exist, we asked - why not tie our two products together more closely. That's the genesis of our partnership.
Peggy Aycinena - Brian, what does Certicom contribute to the partnership?
Brian Neill - At Certicom, we see our product as an add-on to Kilopass memories, an add-on that allows the memory to be programmed natively by a Certicom key-inject system at post-package test. Not only do we stick appliances on the test floor to do this work [at the manufacturing site], we also offer software that takes keys for different standards and injects them into the device.
Basically, you have to decrypt the key before you put it into the chip, so you have this security gap at the tester. With our tools, we keep keys protected all the way to the chips. There really isn't any technology on the market right now that competes with that.
So, from Certicom's point of view, we get and protect the secret data that people sign away their life for. You might purchase a set of a million keys, for instance, then put each of those keys into a million devices, so everything's unique.
Peggy Aycinena - Craig, the Kilopass contribution?
Craig Rawlings - When the key is stored in the chip, we make it much harder for that key to be exposed. That information's much more secure inside the chip.
Peggy Aycinena - So again, why can't security be handled in the software?
Craig Rawlings - Brian actually does do some software security.
Brian Neill - We do have products in software, using general-purpose platforms. We configure those general-purpose platforms using COT components to do what you have to do. That's great for word processors, but we've had 2 decades of software with people trying to do security in software, and we always find that you need to obfuscate things to hide the cryptographic keys. You have to keep the key in memory or in special tokens or other portable hardware, or do it by putting the key into the chip itself.
You can find the full EDACafe event calendar here.
To read more news, click here.
-- Peggy Aycinena, EDACafe.com Contributing Editor.