[Cryptech Tech] Roadmap & remarks about the opportunity of developing a secure TOR router on the Novena platform.

[★ STMAN ★]

Hello Joachim,

I agree with you : 

No, of course, I don’t trust Xilinx implementation of PCIe as it is impossible to check the corresponding VHDL code.
Now, there are many « Free VHDL PCIe cores » available on OpenCore.

But in the project we want to develop, this may not be such a big problem : The workaround would be to cipher all the messages we exchange on the PCIe bus. 

And in the particular project we are planing : It would mean using the PCIe bus to exchange TCP/IP paquets with the Secure TOR router : 
- We would have a driver on the PC hooking TCP/IP stack packets to encrypt and send them to the PCIe TOR Router end-point, so if the PCIe has some backdoors, as we would cipher the data sent through it, these backdoors would be useless.

Do you agree with this approach ? 


Le 6 août 2014 à 09:01, Joachim Strömbergson <joachim at secworks.se> a écrit :

> Signé partie PGP
> Aloha!
> 
> ★ STMAN ★ wrote:
> > Hi Joachim & Linus & Lilith,
> >
> > For the replacement of the Novena which is not « suitable » for
> > prototyping secure TOR routers (Too many custom additionnal hardware
> > to build for being fully operationnel), I am think for the moment to
> > this develpment board :
> >
> > http://www.em.avnet.com/en-us/design/drc/Pages/Xilinx-Spartan-6-FPGA-LX75T-Development-Kit.aspx
> >
> >
> >
> - It has all what is needed to do the job right. - It is not
> > expensive. - It is suitable with its PCIexpress bus to fit in
> > standard PC’s. - It has a standard FMC expansion connector :D
> 
> Avnet makes pretty good boards. But are you really considering using
> PCIe for connectivity? AFAIK there are no complete PCIe open source
> cores. Would you really trust the Xilinx PCIe macro?
> 
> I assumed that given the security requirements you would have, the
> machine we are discussing would either be:
> 
> - A simple addon connected using a fairly simple though also fairly slow
> interface to a common PC.
> 
> - A complete, self contained system.
> 
> I don't think the Avnet board is imho not very usable for either of
> those to solutions.
> 
> In either case I would use the Novena and the TerasIC boards (for
> diversity) to develop the main functionality (key signing for example).
> And then in parallel design a more application specific board. For
> example using one of the TerasIC boards and remove the cruft not needed
> and add things like manual switches directly in the path of a key store
> flash to block remote changes.
> 
> I really like the TerasIC boards. They are easy to use (connects cleanly
> to the tools) and have good documentation including schematics,
> reference designs etc.
> 
> --
> Med vänlig hälsning, Yours
> 
> Joachim Strömbergson - Alltid i harmonisk svängning.
> ========================================================================
> Joachim Strömbergson          Secworks AB          joachim at secworks.se
> ========================================================================
> 

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.cryptech.is/archives/tech/attachments/20140806/be193cd4/attachment.html>