One-chip MAX10 FPGA-based module enables hardware security

One-chip MAX10 FPGA-based module enables hardware security

Aug 19, 2021 — by Jeff Child

— 129 views

Skudo is crowdfunding Kryptor FPGA, a single-chip hardware security module (HSM) based on an Intel MAX10 FPGA. At $129 and up, the board embeds a soft-core suite of security encryption functions. A free Raspberry Pi API for Linux is available for the module.

Estonia-based Skudo went live earlier this week on Crowd Supply with its Kryptor FPGA board. The one-chip card functions as a hardware security module (HSM) and a MAX10 FPGA development board. In order to make Kryptor FPGA more accessible to IoT developers and makers, the company says it’s providing a free Raspberry-Pi-compatible API for Linux. Skudo says the API will “allow almost anyone to get started in mere minutes.” An Arduino library is provided also.

(click images to enlarge)

As we post this story, the Kryptor FPGA Crowd Supply campaign has raised $2,128 of its $13,000 crowdfunding goal since going live on August 17. At the $129 level, backers get one Skudo Kryptor FPGA board, a voucher for a free Skudo HSM softcore download, one BB-170 solderless plug-In breadboard, and six male/female 10cm jumper wires. For $249, backers will get two Skudo Kryptor FPGA boards, two vouchers for a free Skudo HSM softcore download, two BB-170 solderless plug-In breadboards, and 12 male/female 10cm jumper wires. Other products in the campaign include a $21 Kryptor JTAG adapter and a $16 FPGA programmer called USB Blaster. The Crowd Supply campaign is scheduled to end on September 28, 2021. All orders placed now are scheduled to ship Feb 28, 2022.

(click images to enlarge)

In 2020, Skudo signed a contract with the European Space Agency (ESA) to develop and demonstrate a special encryption solution combining the CCSDS SDLS TC/TM data space protocols with a PKI, asymmetric cryptography functions and Skudo’s own HSM FPGA chip. The Krypto FPGA boards in this Crowd Supply are basically the same, aside from the a different MAX10 FPGA model used for that ESA project. Skudo says all the HSM softcore functions used for the ESA contract are a direct derivation from the ones provided in the Crowd Supply campaign. The “voucher” mentioned earlier allows backers to download Skudo’s entire HSM soft-core suite (with support for Camellia symmetric encryption, ECDH, ECC25519, Skein, and the FIGARO TRNG) for free.

Based on the Intel/Altera 100MHz MAX10 8K LE FPGA, the 22.8 x 31.2 mm Kryptor FPGA is literally a one-chip design. All encryption functions take place inside the FPGA, and all data is stored the FPGA’s internal 1,376Kb flash memory. This means that there are no connections between the HSM and storage that can be hacked. The FPGA has 378Kb of internal RAM and GPIO links are available from the FPGA (although fewer are accessible via the board). The module can be controlled via an API compiled library and command line interface.

The card sports 1x SPI, JTAG/pogo pins, and 3x LEDs. Anti-piracy duplication protection is provided via chip ID. The soft-cores are encrypted and cannot be executed on a different physical PCB. Kryptor’s Camellia symmetric encryption speed is up to 108Mbps on a single core (with SPI link speed capped at 100Kbps). Power consumption is 58mAh in FPGA idle mode up to 64mAh when the FPGA is encrypting.

A major selling point of the Kryptor FPGA is its ability to do hardware encryption. Kryptor FPGA replaces all software-based encryption functionality with hardware-based implementations and reduces its attack surface, according to Skudo. This lets you more easily defend against viruses, malware-injection attacks, and exploitable bugs because you’re avoiding the use of an operating system. The single-chip aspect of Kryptor likewise ensures security. Both the RAM and the flash memory circuitry are self-contained within the FPGA. And such an architecture is safer than relying on external chips, each of which, in turn would need to be physically secured, says the company.

Verifiability is touted as another main advantage of the board. The entire implementation can be verified using well-known, proven open-source encryption primitives. Meanwhile, as open hardware, Kryptor provides inherent transparency and verifiability. Skudo emphasizes the transparency aspect. Transparency “allows our customers to rule out the possibility that Kryptor might contain back doors or other hidden elements. To that end, we are giving independent third parties access to our technology and to our technical documents,” says the company.

Running the HSM soft-core, the Kryptor can provide the following security functions, all within the FPGA:

• Generate and store up to four symmetric encryption keys within the FPGA, to accelerate work on up to four encryption streams
• Generate and store up to four asymmetric encryption key pairs within the FPGA to accelerate work on up to four encryption streams
• Generate random numbers based on a true random number generator (TRNG)
• Generate and store a root asymmetric key pair (the private key of which will never be exposed)
• Perform hashing operations
• Encrypt and decrypt a file using any stored key (symmetric or asymmetric)
• Execute an elliptic-curve cryptography (ECC) function on a given asymmetric key
• Load any public key or extract any public key from those generated internally

Further information

As mentioned earlier, the Krypto FPGA can be pre-ordered with accessories from Skudo’s Krypto Crowd Supply page, at prices starting at $129. Shipping to the U.S. is free, with $10 shipping elsewhere. Orders placed now are expected to ship Feb 28, 2022.