Home / Blogs

Cyptech Needs You!

In August of last year I wrote in a blog about the importance of cryptech to wide-scale trust in the Internet.

For those who don’t know about it, http://cryptech.is is a project aiming to design and deploy an openly developed, trustable Hardware Security Module (HSM) which can act both as a keystore (holding your secrets and keeping them private) and as a signing engine.

Unfortunately, the Project is underfunded. At the time of writing it has enough headroom for the next few months, but development could slow to a crawl if it cannot secure more backing. Cryptech operates on a model that caps funding to $100,000 per year maximum per donation, to ensure there is no capture by a single entity. Larger sums can be donated through ISOC which can act as a clearing house.

So, it’s time for us all to tighten the belts, reach into the pockets, and pony up some funds to keep this project going.

Where Cryptech is at

Recently, the project completed its first phase of design and has now got initial units built around the novena board. This is a general purpose (Linux friendly) hackable board which includes an FPGA, and therefore can be targeted by the Verilog/VHDL of the cryptech design. The group has also designed a board to act as a source of ‘noise’, which is used to seed the random number generators (strong cryptography depends in many cases on a source of trustable random information to seed key generation and for other purposes such as one-time pads).

The noise sources have been tested, with large amounts of data produced and run through well understood external tests of randomness, and passed the review.

This initial design doesn’t have things a real HSM must have: ‘potting’ of parts of the system to ensure they cannot be measured externally to derive information about the keys, and intrusion detection, which can be used to securely wipe secret keys if somebody attempts to subvert the hardware and read them off the system. Even without these, the units are capable of acting as a keystore, and signing engine, and can be tested against mainstream crypto packages like OpenSSL (which has a PKCS11 module and can ‘talk’ to an HSM in a standards defined manner).

The final device will be using USB to communicate with the outside world. Given recent news about the risks of USB, the design terminates the USB communications in a small single-purpose chip which then provides standard serial I/O signals to the main system: there is no direct USB connection to the outside world, and you cannot ‘take control’ of the cryptech device via a USB hack on the hardware.

The ‘alpha’ stage boards

are in late stage development, due this summer. Board designs are being discussed and layout finalized.

Recently Cryptech secured repeat funding of $100,000 in 2015 from Google research courtesy of Vint Cerf.

If you cannot help with funding, Cryptech welcomes assistance with documentation, promotion and you can show support (like me) by getting the word out to the wider community, and ensuring people realize how important a community led independent HSM is going to be to the long-term trust of the Internet.

This is a repost of the APNIC blog article originally posted on 2015/04/13

By George Michaelson, Senior Research and Development Scientist at APNIC

Filed Under

Comments

Comment Title:

  Notify me of follow-up comments

We encourage you to post comments and engage in discussions that advance this post through relevant opinion, anecdotes, links and data. If you see a comment that you believe is irrelevant or inappropriate, you can report it using the link at the end of each comment. Views expressed in the comments do not represent those of CircleID. For more information on our comment policy, see Codes of Conduct.

CircleID Newsletter The Weekly Wrap

More and more professionals are choosing to publish critical posts on CircleID from all corners of the Internet industry. If you find it hard to keep up daily, consider subscribing to our weekly digest. We will provide you a convenient summary report once a week sent directly to your inbox. It's a quick and easy read.

Related

Topics

New TLDs

Sponsored byRadix

Threat Intelligence

Sponsored byWhoisXML API

Cybersecurity

Sponsored byVerisign

Domain Names

Sponsored byVerisign

DNS

Sponsored byDNIB.com

Brand Protection

Sponsored byCSC

IPv4 Markets

Sponsored byIPv4.Global