Counterfeit semiconductors are everywhere. Industry estimates are up to 5% of military and medical equipment contain counterfeit parts. The issue isn’t unique to any particular application or geography. In 2017’s “Operation Wafer,” the European-wide Joint Customs Operation (JCO) seized more than one million counterfeit semiconductor devices during a 2-week operation. One million devices – in just two weeks! Industry Week has pegged the fake semiconductor market at $75B, with Havocscope reporting more than $169B in counterfeit parts circulating in the marketplace. The problem is so prevalent that the Global Semiconductor Alliance started a working group on supply chain security.

So…why should fake chips matter to you? Lets talk safety. There is no way to understand how counterfeit parts function. Are they actually doing what the original (authentic) part is supposed to do, or are they operating differently? An even scarier thought, are they intentionally compromising the systems around them? Or are they passing information they gather to an adversary? Confirmed recent incidents of counterfeit parts being found in the field include automated external defibrillators (AED), airport landing lights, intravenous (IV) drip machines, and braking systems for high speed trains. Each of these represent a significant risk to human health and safety.

Device OEMs are forced to address a key question, “if we can’t trust the authenticity of semiconductor components we buy, how can we (and our customer) really trust the devices we make?” Frankly, the answer is “we can’t.”

So how can we fix this? Trust starts at the silicon level, but that trust is only as good as the security applied during manufacturing. That’s where the Rambus CryptoManager Infrastructure becomes a highly valuable tool towards guaranteeing semiconductor authenticity, starting at time of initial manufacturing and stretching all the way to end of life.

During the manufacturing of a chip, whether at an OEM or 3rd-party facility, CryptoManager Infrastructure securely provisions (injects) each and every semiconductor with a unique cryptographic key, or other secure data, in a known-secure area of the chip. Each key is unique to the individual chip and forms the basis of a trusted identity. The process is completely automated. There is no human intervention, allowing the process to take place in just about any facility around the world. Keys are securely generated in air-gapped systems, and only known to the OEM. Once the chip leaves the factory and is placed into a device, the authenticity of that chip can be checked at any time using the Rambus Key Management Service (KMS).

Chip OEMs who use our infrastructure product can provide a chip authenticity guarantee to their device OEM customers, who can then provide the same guarantee to their customers. By cutting down the number of counterfeit chips, we lower the risks to safety and security in electronic devices.

One demo explains to show attendees real world device examples in a connected home that executes applications securely on the same processor without having to trust other entities.  Each connected home application will have access to only specified features and resources that are cryptographically isolated from other applications.

The other is a joint demonstration with Rambus and SiFive, explaining a secure boot application.  Here, a SiFive RISC V processor is integrated with the Rambus CryptoManager  Root of Trust (CMRT) to provide a complete solution for both general purpose and secure processing.  This demo showcases how the CMRT is used to provide secure boot functionality that ensures the SiFive processor in the system only boots images from a trusted source.  This provides a foundation for security of the whole system.

Speaker Details

Dr. Martin Scott, CTO and SVP/GM of Cryptography at Rambus, will present on the panel “RISC-V Security Ecosystem: Open for Business.” on Tuesday, December 4, 2018 at theMeeting Room 209/210 from 3:40pm – 4:20pm local time. The session will discuss security issues faced by customers during implementation.  Additionally they will also cover holistic test and verification best practices at the platform level.

In addition, Helena Handschuh, Rambus Fellow and Chair of the RISC-V Foundation Security Standing Committee, and other recognized security experts,  will present on the panel “Opportunities and Challenges in Security for Open Source Hardware.” on Wednesday, December 5, 2018 at the Exhibit Hall A-1 from 10:40am – 11:20am local time. The focus of the panel discussion is on newly emerging threats on processors and the advantages of the RISC V approach to counter these threats.

Lastly, Elke De Mulder, Embedded Security Researcher at Rambus and Michael Hutter, Senior Principal Engineer at Rambus will discuss “How to Protect RISC-V Against Side-Channel Attacks? “  on Wednesday, December 5, 2018 at the Meeting Room 209/210 from 2:10 pm to 2:30 pm local time. The solution integrates side-channel analysis countermeasures into a RISC V implementation and protects against any first order power or electromagnetic attacks while keeping implementation costs as low as possible.

Join Rambus at booth #103 or schedule a meeting with one of our security experts to discover more about Rambus Security solutions for applications from networking to automotive to IoT.  To learn more, visit https://www.rambus.com/event/risc-v-summit/. For more information on Rambus solutions, visit rambus.com/security.

In addition, the two companies have agreed to evaluate potential collaboration on the use of Rambus’ CryptoManager platform, with Rambus also exploring the use of Xilinx FPGAs in its Smart Data Acceleration (SDA) research program.

“As a leader in the FPGA space, Xilinx has built compelling solutions that are necessary for the growing acceleration needs in the data center,” said Rambus CEO Dr. Ron Black. “Through collaboration, we also see great potential for our CryptoManager platform to serve as the secure foundation that enables remote, dynamic activation of features once the devices are deployed in the field. We look forward to the possibilities of engaging in these programs with the Xilinx teams and providing innovative solutions to our shared customers.”

As we’ve previously discussed on Rambus Press, the CryptoManager security platform creates a trusted path from the SoC manufacturing supply chain to downstream service providers with a complete silicon-to-cloud security solution. CryptoManager includes a Security Engine, which is a flexible root-of-trust implemented as hardware or software, for secure provisioning, configuration, keying and authentication throughout the lifecycle of a device. A local and cloud-based CryptoManager Infrastructure and Trusted Provisioning Services support the Security Engine, offering chipmakers, device OEMs, secure application developers and service providers a scalable and flexible trust management solution.

Meanwhile, the SDA research program focuses on architectures designed to offload computing closer to very large data sets at multiple points in the memory and storage hierarchy. Potential use case scenarios include real-time risk analytics, ad serving, neural imaging, transcoding and genome mapping. Comprising software, firmware, FPGAs and significant amounts of DRAM, the SDA platform operates as an effective test bed for new methods of optimizing and accelerating analytics in extremely large data sets. As such, the SDA’s versatile combination of hardware, software, firmware, drivers and bit files can be precisely tweaked to facilitate architectural exploration of specific applications.

Put simply, the SDA – powered by an FPGA paired with 24 DIMMS – offers high memory densities linked to a flexible computing resource. Currently, the SDA’s base extensible command set is targeted at accelerating and offloading the transformation of common data structures such as those found in Big Data analytics applications. However, the Smart Data Acceleration platform could ultimately be made available over a network where it would serve as a key offload agent in a more disaggregated scenario.

Interested in learning more? You can check out our article archive on CryptoManager here and the SDA research program here.

The strategic addition of Ecebs to our security division has allowed us to create a more comprehensive and dynamic product stack. At the base, we enable foundational security with our DPA technology, architecture and design. The second level of the stack helps customers facilitate secure provisioning and management with CryptoManager, which is built around a hardware-based root-of-trust. The third level, or top tier of the stack, offers smart ticketing (viaEcebs) and mobile payments (via Bell ID).

Perhaps most importantly, Rambus CryptoManager can be deployed to configure devices and optimize security “downstream,” effectively targeting a wide range of applications at the consumer level. Integrating Ecebs’ smart ticketing platform with CryptoManager will help us design a versatile set of solutions for in-field provisioning, mobile cloud-based services and secure ticketing schemes.

Indeed, the rapid adoption of secure, contactless smartcards by public transport systems around the world is only the beginning of a global smart ticketing revolution.

To share, copy and paste the code below:

<br /><br /><br /><br /><br /><br /> <img src=’https://www.rambusblog.com/wp-content/uploads/2016/05/A-Journey-to-the-Future-Smart-Ticketing.jpg’ width=’540′ alt=’A Journey to the Future – How Smart Ticketing Changes the Way We Travel”><br /><br /><br /><br /><br /><br /> <a href=’https://www.rambusblog.com/2016/05/31/all-aboard-with-bramble/’><br /><br /><br /><br /><br /><br /> </a><br /><br /><br /><br /><br /> <p>A Journey to the Future – How Smart Ticketing Changes the Way We Travel [Infographic] by the team at <a href=’https://www.rambusblog.com/2016/05/31/all-aboard-with-bramble/’>Rambus</a></p><br /><br /><br /><br /><br /> <p></a><br /><br /><br /><br /><br /><br />

The smart city of the future will be defined by public transport systems that offer convenience and ease of travel. This is precisely why public transport operators are working together with companies like Rambus to ensure journeys become as simple as possible for passengers.

We believe smart ticketing will continue to evolve along with consumer expectations for friction-free commerce in multiple spaces. To be sure, passengers in certain cities are already able to use their device of choice to travel seamlessly from location to location and system to system.

Of course, buying and storing train or bus tickets is only part of the smart ticketing equation for future smart cities. Using a smartphone or wearable as a hub, passengers will be able to purchase food and other items, reserve parking spaces, update travel plans in real-time, interact with augmented reality (AR) and Bluetooth beacons, view luggage status and even replace current paper travel documents, such as passports.

At Rambus, we are working to further develop and enhance our suite of smart ticketing software for cloud-based, secure ticketing systems. We are excited about the future of smart travel and all of the potential new market opportunities that innovative smart-ticketing solutions, programs and services can provide.

“There are still plenty of unsecured chips out there, vulnerable to several major types of hardware attack,” he explained. “These include side-channel attacks, which are techniques that allow attackers to monitor the analogue characteristics and interface connections and any electromagnetic radiation.”

According to Sword, differential power analysis (DPA) is a type of side-channel attack that measures the electrical power consumption or electromagnetic emissions from the device.

“From these measurements, attackers can derive cryptographic keys and private data,” he continued. “These keys allow attackers to easily gain unauthorized access to a device, decrypt or forge messages, steal identities, clone devices, create unauthorized signatures and perform additional unauthorized transactions.”

As Sword notes, Boeing recently licensed Rambus DPA Countermeasures to protect its aerospace and defense systems from security threats.

“Rambus is also working with smartphone manufacturers, [as the company’s] CryptoManager platform establishes a hardware-based root-of-trust, embedding a security core in the SoC itself,” he added. “Vendors can therefore securely provision unique keys for each chip during the silicon manufacturing and testing process.”

As we’ve previously discussed on Rambus Press, DPA countermeasures will allow Boeing to protect against security attacks that are used to reverse engineer or exploit critical technologies built into aircraft and other defense-related products. To be sure, the threat of DPA attacks is on the rise and defense companies require an extremely high level of hardware-based security to safeguard its customers’ high-value data.

Perhaps not surprisingly, concerns about DPA attacks originated in the smart card market, although such attacks have since spread into other segments, including aerospace and defense. Fortunately, government and military systems can be protected from cyber adversaries with a hardware-centric security approach, which helps prevent the threat of reverse engineering and exploitation.

To evaluate vulnerability and resistance to side-channel attacks, Rambus has also developed a DPA Workstation (DPAWS) platform for its customers and partners. Essentially, DPAWS analyzes hardware and software cryptographic implementations for vulnerabilities to power and electromagnetic side-channel attacks. Specifically, DPAWS enables users to quickly assess any vulnerability that an FPGA, ASIC, CPU or microcontroller may have to side-channel analysis.

In addition, DPAWS includes an integrated suite of hardware and data visualization software to aid in the identification and understanding of vulnerabilities in cryptographic chips.

Interested in learning more? You can check out our DPA Countermeasures product page here and our DPA Workstation product page here.

The recent acquisition of Bell ID, along with its products, personnel and technologies, represents a strategic addition to our security division. Now an integral part of Rambus, Bell ID continues to help banks, governments and enterprises issue and manage credentials on smartphones, smart cards and connected devices. As an established leader in host card emulation (HCE), we are deployed worldwide and support all major cloud-based mobile payment platforms.

So, what’s next? Well, together we are accelerating efforts to develop and expand our suite of mobile solutions that support cloud-based services. This strategy will help us increase market opportunities via a larger set of solutions, programs and services. In a broader sense, Bell ID technology will also allow us to bolster our secure chip-to-Cloud-to-client device solutions.

For example, Rambus’ CryptoManager offers customers the ability to securely configure both silicon and devices during the manufacturing process. The platform can also be used to configure devices and optimize security “downstream,” allowing us to target a wide range of applications at the consumer level. Of course, smart ticketing (via Ecebs) and mobile payments (via Bell ID) are only two examples of market segments that will benefit from our integrated security portfolio.

Simply put, our security solutions can be thought of as a dynamic stack. At the base, we enable foundational security with our DPA technology, architecture and design. Moving up, CryptoManager, which features a hardware-based root of trust, facilitates secure provisioning and management. Meanwhile, mobile payments and smart ticketing represent the third, or top tier of the stack.

Since the acquisition of Bell ID, Rambus’ security division has successfully supported the integration of Android Pay for international issuing banks, payment schemes and processors; inked an agreement with First Data Poland to offer Cloud-based mobile payments as a service; helped Interac support Apple Pay in Canada and introduced Token Service Provider (TSP) services, which were jointly developed in collaboration with IBM and Everlink.

We are quite excited about additional opportunities that Bell ID’s expertise will help facilitate as we further solidify our leadership in the lucrative mobile payment space.

According to Ashkenzai, the demand for trusted applications on mobile devices has increased significantly in recent years.

“As the amount of valuable data stored and communicated across mobile devices continues to grow, the need for robust security solution becomes even more important,” he told conference participants.

“For example, there is a critical need for a security platform capable of addressing the distribution and authentication of cryptographic keys throughout the lifecycle of a device. From chip management to device personalization to downstream feature provisioning, it is important to create a trusted path from the SoC manufacturing supply chain to downstream service providers with a complete silicon-to-cloud solution.”

As Ashkenazi notes, this is precisely why Rambus’ CryptoManager platform establishes a hardware-based root-of-trust by embedding a security core in the SoC itself. This allows vendors to securely provision unique keys for each chip during the silicon manufacturing and testing process.

“With CryptoManager, an OEM building a device with an SoC from a chipset vendor does not need to provision keys or take any extra steps to enable security features,” he explained. “Service providers can also securely and conveniently provision keys over the air. Moreover, CryptoManager can be deployed across a wide range of key verticals, including mobile digital rights management, mobile payments and smart ticketing.”

In addition to its flagship hardware core, says Ashkenazi, the CryptoManager platform offers customers multiple implementation options, such as an integrated Software Agent and Trusted Execution Environment (TEE), as well as a stand-alone Software Agent. The former is implemented via software as a protected element within a trusted OS to deliver a combination of security and flexibility. Similarly, the latter is implemented in the software layer of a device OS to facilitate a high level of flexibility.

“Put simply, CryptoManager offers our customers and partners far more than key provisioning capabilities,” he added. “We support enhanced security for applications and data, alongside full device lifecycle management.”

Indeed, as we’ve previously discussed on Rambus Press, CryptoManager is a complete silicon-to-cloud solution for the distribution and authentication of cryptographic keys throughout the lifecycle of a device. The platform enables dynamic SoC management and device personalization in the supply chain, securing applications and services via in-field key provisioning.

CryptoManager includes a Security Engine, which is a flexible root-of-trust implemented as hardware or software, for secure provisioning, configuration, keying and authentication throughout the lifecycle of a device. A local and cloud-based CryptoManager Infrastructure and Trusted Provisioning Services support the Security Engine, providing chipmakers, device OEMs, secure application developers and service providers a scalable and flexible trust management solution.

By offering a secure foundation for downstream device configuration, chipmakers are granted the flexibility needed for post-manufacturing inventory management, while service providers have a trusted path to consumers for feature enablement and service delivery in applications including secure mobile banking, identity and entertainment, as well as IoT device security.

Interested in learning more? You can check out our official CryptoManager product page here.

“We tend to think of cars as mechanical [entities], but [modern vehicles] are actually very sophisticated,” Asaf Ashkenazi, senior director, product management for Rambus’ Security division, explained.

“So we need to make sure that we not only address today’s security challenges, but also those [that could occur] one or even five years from now.”

As Ashkenazi notes, most OTA solutions currently on the market offer limited functionality and lack personalization features.

“[For example], secure elements work fine for some purposes, but they aren’t enough for OTA vehicle updates. [Yes], they can get a key into a car, but without personalization, they end up using the same key in all vehicles,” he told the EE Times earlier this summer. “Alternatively, one can specify one key for each vehicle. But this requires automakers to implement the secure injection of keys at the manufacturing site. No personalization means that each vehicle has no unique key, which is critical in authenticating codes for software downloads.”

In contrast, says Ashkenazi, updates provided by Movimento and Rambus are delivered via one-time, single-use keys that are unique to each vehicle.

“Today we are using CryptoManager for over the air updates, but tomorrow we can use it for other solutions. Security is not new to us and we believe there is a real need for what we’re doing,” he added.

“[Self-driving vehicles] open up a whole new field for legal interpretation, case law, and regulation,” she explained.

“While most liability cases in the past never crossed below the system vendor/supplier level, [this] could change with autonomous vehicles. [In terms of security], self-driving cars pose a huge concern given the amount of silicon and software and the size and mass of vehicles.”

Indeed, as Asaf Ashkenazi, senior director of product management at Rambus Cryptography Research points out, while the Internet revolution improved many aspects of our lives and boosted the world’s economy, it also introduced new threats and concepts such as cyber-crime and cyber-warfare.

“Self-driving cars are really no different,” he told Semiconductor Engineering. “There is no doubt that by the time self-driving cars roam our streets they will be fully connected, raising concerns about ensuring the integrity of the software, and ensuring it is not maliciously replaced by a rogue version that could bring harm to the passengers or bystanders. This is only one of many concerns that will need to be addressed by self-driving car manufacturers, operators and regulators.”

According to Ashkenazi, self-driving cars are currently undergoing a risk-reward analysis by many in the industry, with a focus on reducing accidents, traffic congestion and cost.

“We may also see some existing transportation-related businesses become redundant, and new businesses emerge to provide new services enabled by new technology,” he added.

As Mutschler emphasizes, security is a concept that makes the above-mentioned equation more palatable. If done right, she says, security must be part of the primary automotive design, rather than a tertiary afterthought. Indeed, modern vehicles are essentially a network of networks – equipped with a range of embedded communication methods and capabilities. As such, there is broad consensus that vehicle cyber security should rank as a top priority for the automotive industry.

That is precisely why Rambus and Movimento recently teamed up to deliver secure and personalized OTA updates for connected vehicles. Currently, the majority of OTA solutions designed to deliver functional updates and security patches use the very same software encryption key for multiple vehicles, which increases the vulnerability vector of an update. In contrast, updates provided by Movimento and Rambus are delivered via one-time, single-use keys that are unique to each vehicle – effectively minimizing vulnerabilities and maximizing security.

More specifically, Movimento’s OTA technology uses Rambus’ CryptoManager platform to enable in-field provisioning of encrypted keys generated for a specific vehicle, thereby facilitating secure communication between cars and the Cloud.

“CryptoManager offers an integrated security platform with flexible implementation, comprising a hardware root-of-trust and secure firmware,” Dr. Simon Blake-Wilson, VP of Products and Marketing at Rambus Cryptography Research explained. “When combined with Movimento’s OTA technology, CryptoManager enables the next level of integrated chip-to-Cloud-to-car security. Simply put, CryptoManager is an embedded hardware solution that minimizes the attack surface of the vehicle by providing end point security.”

Interested in learning more about Rambus and automotive security? You can check out our automotive security page (insert link when live) here and our article archive on the subject here.

“Rambus, a semiconductor and IP licensing company, has partnered with Movimento, a leader in automotive reflash services with innovations in OTA software,” Yoshida writes. “Combining Movimento’s OTA technology with Rambus’ own CryptoManager platform, the two companies have developed a system that offers one-time, single-use keys unique to each vehicle, ensuring validity before installation.”

According to Asaf Ashkenazi, senior director, product management at Rambus Cryptography Research, the combined Rambus-Movimento technology is akin to “closing the front door” of a house.

“This isn’t a magic solution,” Ashkenazi told the EE Times. “Layers of security are necessary. One company can’t fix it all. [However, the use of] simple, secure methods to download, authenticate and install vehicle updates [is a much needed first step].”

As Ashkenazi notes, most OTA solutions currently on the market offer limited functionality and lack personalization features.

“[For example], secure elements work fine for some purposes, but they aren’t enough for OTA vehicle updates. [Yes], they can get a key into a car, but without personalization, they end up using the same key in all vehicles,” he emphasized. “Alternatively, one can specify one key for each vehicle. But this requires automakers to implement the secure injection of keys at the manufacturing site. No personalization means that each vehicle has no unique key, which is critical in authenticating codes for software downloads.”

In contrast, says Ashkenazi, updates provided by Movimento and Rambus are delivered via one-time, single-use keys that are unique to each vehicle – effectively minimizing vulnerabilities and maximizing security.

So, how does Rambus’s versatile CryptoManager platform work in the context of automotive security?

“The platform first establishes a robust hardware root-of-trust, cryptographically authenticates code — unique to a car — before executing it, and encrypts the payload to protect the vehicle from attacks,” Yoshida explained. “To prevent physical attacks CryptoManager uses the same technologies used to protect bank or credit cards from side-channel attacks.”

Interested in learning more? The full text of “Can Rambus Hack Auto Cyber-Security?” is available on EE Times here.