Download - Hardware Cryptographic Coprocessor
Hardware Cryptographic Coprocessor
Peter R. WihlSecurity in Software
The Problem
• Need for secure computing in an environment where computing is distributed, insecure, and even hostile
• More and more, we use computers that belong to others, but we need to know our data is safe.
The Goal
• Create a trusted computing device that can be added to an untrusted computing system to make it secure.
• Isolate your secure processing from the rest of your system.
Example 1 - Database
• Create a central database system that allows only authorized users to access to only their data on the system.
• Exclude even the system administrator from viewing any data in the database.
Example 2 – Trusted Boot
• You have an untrusted computing system, but you want to ensure that it boots the correct machine code.
• Want to make sure that the boot code has not been altered or tampered with
Example 3 – Protected Data At Rest(My Favorite!)
• You have sensitive data that you can access in a controlled, protected environment but must be protected when not being accessed
• Protection of data needed between use of it i.e. during transportation
A Secure Coprocessor
• A general-purpose computing environment • Withstands physical attacks and logical attacks• Must run the programs that it is supposed to,
and must distinguish between the real device and application and a clever impersonator
• Must remain secure even if adversaries carry out destructive analysis of one or more devices
• Started in the early 1990’s
Evaluation Parameters
• Physical Protection (tamper resistant)• Reliability (physical or electrical damage)• Computational Ability (Speed bps)• Communications• Portability• Cost
Applications
• Generalized Access• Generalized Revelation• Autonomous Auditing• Trusted Execution
Classes of Solutions
• IC Chip Cards (Smart Cards, Your GSM Phone has one)
• PCMCIA Tokens (Fortezza)• Other Card Tokens (Secure ID)• Smart Disks (Obsolete)• Bus Cards (IBM 4758)• Your Body (the future is now)
FORTEZZA™ CRYPTOCARD
Fortezza Features
• Data Privacy• User ID Authentication• Data Integrity• Non-Repudiation• Time stamping
RSA SecurID
• Software tokens support qualified smart cards or USB authenticators
• Stores symmetric key and is PIN protected• Stores digital credentials• Only secures the login process
The IBM 4758• Tamper-responding hardware design certified under
FIPS PUB 140-1. Suitable for high-security processing and cryptographic operations
• Hardware to perform DES, random number generation, and modular math functions for RSA and similar public-key cryptographic algorithms
• Secure code loading that enables updating of the functionality while installed in application systems
• IBM Common Cryptographic Architecture (CCA) and PKCS #11 as well as custom software options
• Provides a secure platform on which developers can build secure applications
The 4758 Architecture
SafeNet SafeXcel™ 241-PCI Card
• Provides industry-leading cryptography throughput for operations such as:– DES and Triple-DES encryption– MD5 and SHA-1 Hashing– Random number generation– Public key computations:
- Diffie-Hellman key negotiation- RSA encryption and signatures- DSA signatures
SafeXcel™ 241-PCI Architecture