Category Archives: Cryptography

Microsemi develops FPGA security/secure-boot programme

Posted on by

August 07, 2014 // Graham Prophet

Extension of cryptography research differential power analysis patent license renews focus on security for critical communication, industrial and defence applications; the patent and related work provides resistance to DPA attacks

Page 1 of 2

Microsemi says it is the only major FPGA company that currently has a license to use the patented DPA countermeasures, and has implemented DPA-resistant secure programming and boot-up protocols in its SmartFusion2 SoC FPGAs and IGLOO2 FPGAs. Microsemi will now be able to extend the secure boot protection of these Microsemi devices to other third-party MCUs, DSPs, GPUs and FPGAs used within the same system. Microsemi is currently working with customers with the secure boot solution, and is offering the solution as a reference design that runs on Microsemi's standard cryptographically-enabled SmartFusion2 and IGLOO2 FPGAs.

It is more critical than ever to prevent persistent malware implants in boot and application code. Supervisory control and data acquisition (SCADA) systems, routers and data communications systems together control the worlds industrial and communications infrastructure where these threats can be catastrophic, said Bruce Weyer, vice president of marketing and business operations, at Microsemi. In addition, the U.S. government and defence contractors are looking to share the cost of defence systems through the expansion of foreign military sales. These DoD contractors are looking for ways to secure their advanced technology systems against reverse engineering and exploitation so they can be exported safely, and our secure boot solution is an important security layer in providing that protection.

In the Internet of Things era, connected machines need to be secure, and to be secure in the sense of DPA resistance. Just because a machine or system says it meets the Advance Encryption Standard (AES), it does not necessarily mean it is secure, Microsemi notes the DPA countermeasure solution increases system overall security by protecting the keys that are stored in the system against side-channel attacks.

MPUs/MCUs,Authentication & Encryption,PLDs/FPGAs/ASICs

See the original post here:
Microsemi develops FPGA security/secure-boot programme

Microsemi Continues Its FPGA Security Leadership for Secure Boot with Extension of …

Posted on by

Significantly Increasing Security for Critical Communication, Industrial and Defense Applications, Patent Solution Provides Resistance to DPA Attacks

ALISO VIEJO, Calif. Microsemi Corporation (Nasdaq: MSCC), a leading provider of semiconductor solutions differentiated by power, security, reliability and performance, today announced the company has obtained an extension of its existing Differential Power Analysis (DPA) patent license from the Cryptography Research division of Rambus. The patent license extension allows Microsemi to continue providing industry-leading solutions for the secure booting of third-party processors and FPGAs using the Cryptography Research portfolio of patented breakthrough DPA countermeasures.

Microsemi is the only major FPGA company that currently has a license to use the patented DPA countermeasures, and has implemented DPA-resistant secure programming and boot-up protocols in its SmartFusion2 SoC FPGAs and IGLOO2 FPGAs. Microsemi will now be able to extend the secure boot protection of these Microsemi devices to other third-party MCUs, DSPs, GPUs and FPGAs used within the same system. Microsemi is currently engaging key customers with the secure boot solution, and is offering the solution as a reference design that runs on Microsemi's standard cryptographically-enabled SmartFusion2 and IGLOO2 FPGAs.

"It is more critical than ever to prevent persistent malware implants in boot and application code. Supervisory control and data acquisition (SCADA) systems, routers and data communications systems together control the world's industrial and communications infrastructure where these threats can be catastrophic," said Bruce Weyer, vice president of marketing and business operations, at Microsemi. "In addition, the U.S. government and defense contractors are looking to share the cost of defense systems through the expansion of foreign military sales. These DoD contractors are looking for ways to secure their advanced technology systems against reverse engineering and exploitation so they can be exported safely, and our secure boot solution is an important security layer in providing that protection."

According to the Aberdeen group, by the year 2020 approximately 50 billion machines will be connected. Not only do these machines need to be secure, but they need to be secure in the sense of DPA resistance. Just because a machine or system says it meets the Advance Encryption Standard (AES), it does not necessarily mean it is secure. Microsemi's DPA countermeasure solution increases system overall security by protecting the keys that are stored in the system against side channel attacks.

"By extending this license, Microsemi and its customers are helping to secure the massive number of processors and FPGAs used in critical industrial, communications, networking and defense applications, many of which are still vulnerable to the DPA attacks," said Paul Kocher, chief scientist of the Rambus Cryptography Research division. "While the security issues surrounding side channel attacks have continued to gain notoriety, expanding this needed power analysis protection for the boot stage of FPGA devices and processors is an important step towards securing overall systems."

Microsemi is in a unique position to be able to offer this enhanced secure boot solution because, in addition to having the most secure FPGAs on the market, Microsemi also offers a software product called WhiteboxCRYPTO that allows the secure execution of standard cryptographic algorithms.

About Differential Power Analysis Attacks DPA is an insidious and powerful technique hackers use to extract secrets such as cryptographic keys from an electronic device by externally monitoring the instantaneous power consumed by the device while it is operating on the secrets. CRI's secure boot is a highly effective security measure that ensures a programmable device such as a microcontroller (MCU), digital signal processor (DSP), graphics processor (GPU) or field programmable gate array (FPGA) is executing authentic code that has not been tampered with or altered.

About SmartFusion2 SoC FPGAs SmartFusion2 SoC FPGAs integrate inherently reliable flash-based FPGA fabric, a 166 megahertz (MHz) ARM Cortex-M3 processor, advanced security processing accelerators, DSP blocks, SRAM, eNVM and industry-required high performance communication interfaces, all on a single chip. Microsemi's SmartFusion2 SoC FPGAs are designed to address fundamental requirements for advanced security, high reliability and low power in critical communications, industrial, defense, aviation and medical applications. For more information visit: http://www.microsemi.com/products/fpga-soc/soc-fpga/smartfusion2.

About IGLOO2 FPGAs Microsemi's IGLOO2 FPGAs continue the company's focus on addressing the needs of today's cost-optimized FPGA markets by providing a LUT based fabric, 5Gbps transceivers, high speed GPIO, block RAM, a high-performance memory subsystem, and DSP blocks in a differentiated, cost and power optimized architecture. This next generation IGLOO2 architecture offers up to five times more logic density and three times more fabric performance than its predecessors and combines a non-volatile flash based fabric with the highest number of general purpose I/Os, 5Gbps SERDES interfaces and PCI Express end points when compared to other products in its class. IGLOO2 FPGAs offer best-in-class feature integration coupled with the lowest power, highest reliability and most advanced security in the industry. For more information visit: http://www.microsemi.com/products/fpga-soc/fpga/igloo2-fpga.

Read the rest here:
Microsemi Continues Its FPGA Security Leadership for Secure Boot with Extension of ...

New type of cryptography that can better resist "dictionary attacks"

Posted on by

Aug 05, 2014

Cryptographers in China have have developed a new type of cryptography that can better resist so-called offline "dictionary attacks", denial of service (DoS) hacks, and cracks involving eavesdroppers. Their approach, reported in the International Journal of Electronic Security and Digital Forensics, extends and improves a type of cryptography that uses an intractable mathematical problem as its basis.

Public-key cryptography uses the complexity of certain mathematical problems that would take even a supercomputer many years to solve, to lock up data that only a person with the private key can unlock. Early public-key systems used the problem of finding the prime factors of a very large integer. More recent protocols exploit the problem of finding the discrete logarithm of a random elliptic curve element with respect to a publicly known base point. This is the "elliptic curve discrete logarithm problem" and is an example of a mathematical problem that is essentially impossible to solve at the highest level without an array of supercomputers and tens of thousands of years at one's disposal. And, yet, it is very efficient in terms of computation to implement and encrypt data.

Unfortunately, encryption systems always have loopholes and can always succumb to bugs or attacks on the computer system on which they run. The most recent form of elliptical encryption widely used for internet logins and other applications can be breached by a so-called offline dictionary attack that simply tests every possible key, or password, non-complex passwords thus succumbing the quickest. More the protocol can be attacked by an eavesdropper who monitors and replicates password entry by users or otherwise breaks the system, through a denial of service, attack allowing entry via the backdoor.

Pengshuai Qiao of North China University of Water Resources and Electric Power, in Zhengzhou, and Hang Tu of Wuhan University, Wuhan, China, explain that two fundamental requirements of secure communications over an insecure public network are password authentication and password updating. Previous researchers have extended password authentication and update schemes based on elliptic curve cryptography to the point where they are entirely robust against replay attack, man-in-the-middle attack, modification attack and other potential breaches. However, this system, developed by computer scientists Hafizul Islam of the Birla Institute of Technology and Science in Pilani and GP Biswas of the Indian School of Mines, Dhanbad, India, failed to defend against offline password guessing attack and stolen-verifier attack.

Qiao and Tu have now devised an algorithm for on elliptic curve cryptography that precludes such security breaches by using a four-phase approach: registration phase, password authentication phase, password change phase and session key distribution phase. These are the same steps used with the Islam-Biswas scheme but Qiao and Tu add two additional calculations on the user side for the final single-session password. This change means that offline dictionary attacks will never succeed because even if the hacker guesses the user's password they will not have the necessary algorithm to recalculate the actual session password used each time by the user. The same addition also thwarts stolen-verifier attacks, because even if a third-party has access to the verification protocol used by the system, they would still need to be able to do the one-time additional pair of calculations for the given session.

The team's initial testing of the new system bodes well for secure implementation on a wide range of platforms for everything from mobile banking to web logins.

Explore further: Passwords no more? Researchers develop mechanisms that enable users to log in securely without passwords

More information: Qiao, P. and Tu, H. (2014) 'A security enhanced password authentication and update scheme based on elliptic curve cryptography', Int. J. Electronic Security and Digital Forensics, Vol. 6, No. 2, pp.130-139. http://www.inderscience.com/info/inar icle.php?artid=63109

(Phys.org) Passwords are a common security measure to protect personal information, but they don't always prevent hackers from finding a way into devices. Researchers from the University of Alabama at ...

See more here:
New type of cryptography that can better resist "dictionary attacks"

Mount Allison student becomes first Canadian to present at international cryptography conference

Posted on by

Published on August 06, 2014

Mount Allison University honours computer science and math student Karen Korstanje recently presented her research at the Fourth International Workshop on Cryptography, Robustness, and Provably Secure Schemes for Female Young Researchers (CrossFyre 2014) - a conference designed specifically for women in cryptography - in Bochum, Germany. Korstanje, originally from Thunder Bay, ON, is the first Canadian to present at the CrossFyre conference and was one of only two undergraduate students to attend this year. "It was my first time at an international conference so I was a little nervous to present my research. But it was a very supportive environment," says Korstanje.

Mount Allisons Karen Korstanje is the first Canadian to present at the fourth International Workshop on Cryptography, Robustness, and Provably Secure Schemes for Female Young Researchers (CrossFyre 2014). PHOTO SUBMITTED

The fourth-year honours student presented new results from her summer research project in cryptography titled "Search for Weak Keys in the Dhall-Pal Cipher," supervised by Mount Allison computer science professor Liam Keliher.

Her research has focused on the analysis of the Dhall-Pal Cipher (DPC), a symmetric-key cipher introduced in 2010. The DPC was designed to be an efficient alternative to the widely implemented Advanced Encryption Standard (AES) cipher. Korstanje and Keliher's work focuses on cryptanalysis, designing attacks on current systems to show weaknesses.

"The attacks can show weaknesses in the cipher, how the information is being encrypted. Knowing these allows programmers to alter their work and makes their systems more secure," explains Korstanje. "We kind of have to think like a hacker to prevent different kinds of attacks and identify weaknesses in different cryptic systems."

Keliher, who is an expert in cryptography, says "Karen's work has revealed that many of the keys used by communicating parties lead to significant weaknesses in the DPC that allow encrypted information to be decrypted by an attacker with a minimum amount of computation (hence the term 'weak keys'). This represents a complete break of the DPC."

Korstanje and Keliher are now preparing a full paper based on this work for refereed publication.

Mount Allisons Karen Korstanje is the first Canadian to present at the fourth International Workshop on Cryptography, Robustness, and Provably Secure Schemes for Female Young Researchers (CrossFyre 2014). PHOTO SUBMITTED

Thanks for voting!

View post:
Mount Allison student becomes first Canadian to present at international cryptography conference

CryptoLocker decrypted: Researchers reveal website that frees your files from ransomware

Posted on by

The CryptoLocker ransomware is as simple as it is devastating: Once it worms its way onto your system, it encrypts all of your precious files using strong AES-256-bit cryptography, which is virtually impossible to break if you dont know the private key (read: secret code) required to unlock it. Pay the attackers $300, and theyll give you the key. Dont pay, and your files stay scrambled forever.

Until now.

Researchers from FireEye and Fox-IT have managed to recover the private encryption keys used by CryptoLockers authors, as well as reverse-engineer the code powering the malware itselfmeaning the firms can unlock your files. And while they could no doubt make a pretty penny selling that service to victims at a price far less than CryptoLockers $300 Bitcoin ransom, the security firms are taking the high road, and providing the private key details for free via the just-launched Decrypt CryptoLocker website.

Screenshot of a PC infected with CryptoLocker.

The process couldnt be easier: Simply send the site one of the CryptoLocker-encrypted files on your PC, along with an email address. Itll scan the file to figure out the encryption specifics, then send you a recovery program and master key that can be used to rescue your ransomed data.

FireEye warns that some data might not be recoverable, particularly if youve been infected by a CryptoLocker variant rather than CryptoLocker itself.

BBC reports that 500,000 people fell victim to CryptoLocker, with 1.3 percent forking over cash to free their files. In other words, the malware earned its makers around $3 million before the criminal network was smashed by authorities and security researchers in May.

Variants are still scuttling around the web, however. Beyond usingsecurity software and safe browsing practices, the best offense against ransomware is a strong defense. Making regular backups will let you easily recover your data if your PC ever falls prey to an encryption-based attack.

Continued here:
CryptoLocker decrypted: Researchers reveal website that frees your files from ransomware