Crypto to defend chip IP: snake oil or good idea?

Thor Lancelot Simon tls at rek.tjls.com
Fri Jul 28 22:19:43 EDT 2006 

On Fri, Jul 28, 2006 at 06:46:54PM -0600, Anne & Lynn Wheeler wrote:
> Thor Lancelot Simon wrote:
> >The simple, cost-effective solution, then, would seem to be to generate
> >"static serial numbers" like cipher keys -- with sufficient randomness
> >and length that their sequence cannot be predicted.  I still do not see
> >the advantage (except to Certicom, who would doubtless like to charge a
> >bunch of money for their "20-40k gate crypto code") of using asymmetric
> >cryptography in this application.
[...] 
> so is the issue really with asymmetric key cryptography technology done 
> in custom circuit design ... or is the issue with certicom??

The issue is with unnecessary complexity that yields (still, to my
eye) no demonstrable security benefit in the applications for which
the Certicom press release claimed it was intended.  As I said before,
I think the basic "chip generates key pair, public key signed during
manufacturing" solution is a very clever one -- but only to problems
which _also_ justify the cost of a very serious tamper-proofing effort
aimed at protecting the private key, and where it is a requirement of
the application that the original fab _itself_ not have that key as
part of the manufacturing process, e.g. where it will be used as a
master secret for persistent storage of other keys.  In other words,
for devices like IBM's cryptographic modules.  But for the purpose
Certicom claimed (and you seem also to be claiming) it's suited for:

As Perry said, chip fabs have plenty of diagnostic equipment that
would extract an RSA private key every bit as easily as it would
extract a private serial number, which means that the additional cost
of 20-40 gates, plus IP licensing, plus... for a cryptographic engine
is strictly wasted.  I am a happy Certicom customer but I certainly
wouldn't buy _this_ product from them.

Thor

---------------------------------------------------------------------
The Cryptography Mailing List
Unsubscribe by sending "unsubscribe cryptography" to majordomo at metzdowd.com

More information about the cryptography mailing list