|
|
|
|
Chips Philips
Developed by Philips Usfa/Crypto
This page describes the evolution of dedicated cryptographic chips
developed over the years by Philips Usfa (later: Philips Crypto).
Most of the early chips were made exclusively for use in
Philips' own cryptographic appliances,
but later chips were used in third party crypto products as well.
|
As Philips was a semiconductor manufacturer, they were able to
develop and manufacture their own integrated circuits (ICs) (chips).
Philips's professional camera division (BTS) already used these facilities
to produce custom OEM chips that were not available to other customers.
Such chips were generally given a so-called OQ number,
with the OQ44xx range reserved for Philips Usfa.
The image on the right shows an early production sample of the
OQ4430. This chip was developed in the mid-1980s for the
Spendex 40 and 50
voice encryption devices.
|
|
|
The first crypto chips were developed around 1974/75 especially for the
Aroflex range of cipher machines. Until that time,
the crypto-heart of all Philips cipher machines consisted of discrete electronics.
The OQ4406 was intended for use by
NATO and the Dutch Government,
while the OQ4407 was used for all other customers.
The OQ4406 was also used in
Picoflex,
in a tick film hybrid variant.
The timeline below shows roughly when the various crypto chips were
developed.
The early OQ4406/07
chips lasted until they were replaced by their successors
OQ4434/35/36 around 1990.
In the meantime, around 1985, Philips had created the
OQ4430 especially for voice encryption
by implementing the highly secret American
NSA Type-1
SAVILLE algorithm.
In the mid-1990s, Philips moved away from proprietary stream
cipher encryption methods that found their origin in the ancient
(wheel-based) mechanical models, and developed a
range of crypto processors with mathematical building blocks to create
algorithms like DES and RSA. These chips were commercially available
to third parties under a so-called Non-Disclosure Agreement (NDA).
|
OQ4406 and OQ4407 were the first generation of application-specific
integrated circuits (ASICs) used in
Philips encryption devices. Each chip contains a complex
non-linear feedback shift register (NLFSR) that could roughly be seen
as the electronic equivalent of a mechanical cipher rotor, similar to the
rotors of the German Enigma, the
Russian M-125 (Fialka) and the
American KL-7.
|
By connecting several of these chips in a chain,
a stream cipher 1 could be realized.
Such a cipher could be viewed
as an electronic version of a mechanical cipher machine.
Generally, 8 such chips were used in the
In the Aroflex machine.
To hide the electronics from prying eyes and as an elementary
anti-tamper measure, the crypto heart was
usually potted in a rigid
foam block.
The image on the right shows the interior of the crypto heart of an
Aroflex-derivative based on a series of OQ4407 chips.
Note that the QO4407 is less secure than the pin-compatible OQ4406.
|
|
|
The OQ4406 was used in real Aroflex
machines and was classified Confidential.
The Aroflex was approved for TOP SECRET and NATO SECRET
messages.
The OQ4407 chip was used for all other customers, including the
Siemens T-1000CA.
Internally, crypto-logics based on the OQ4407 were commonly known as Beroflex.
With the right means, machines with the OQ4407 were breakable.
Both chips could be connected in several ways, giving some level of
configurability. This allowed the designers to create different crypto hearts
(or crypto-logics as they were called) for different customers.
in 1980, the OQ4406 logic was also used in the portable
Picoflex cipher machine.
In Picoflex, four OQ4406 substrates are mounted on a tick film carrier in
a single metal package.
Being NATO CEROFF standard, Picoflex was compatible with the
NATO version of Aroflex and therefore also
with the Norwegian RACE (KL-51)
when operating in Aroflex mode (a.k.a. EPSOM).
|
|
-
In open literature, this type of cipher is also known as a cascade clock
controlled cipher.
|
|
Products based on the OQ4406 and OQ4407
|
|
|
In the early 1980s, Philips developed the narrowband
Spendex 40
crypto phone for use by the Dutch Government and the Army.
As it was their intention to sell this phone to NATO as a
STU-II compatible product,
the GCHQ/NSA-developed
SAVILLE algorithm was used.
It was thought that by using an existing already-approved algorithm,
the time-to-market would be shortened.
|
By special permission from the NSA,
Philips is believed to be the first non-US
company to be allowed to implement the
SAVILLE algorithm in their own hardware.
The result is the OQ4430.
The same OQ4430 chip was later used in the military
Spendex 50 (DBT) wideband
crypto phone, that was developed shortly after the Spendex 40
for use on the Dutch
ZODIAC combat communications network.
The image on the right shows an OQ4430 chip on the crypto board of the
Spendex 50.
Three such chips were generally combined for fail-safe operation.
|
|
|
As the secret SAVILLE algorithm
was implemented in the OQ4430, it was difficult
for Philips to sell the Spendex 40
and Spendex 50 phones to other customers
and countries, as they had to seek
NSA-approval on each occasion.
Nevertheless, both phones were used exensively by NATO,
the Dutch Government and by some other countries such as the United Kingdom
and Germany.
For customers outside the NSA-controlled community, an alternative
cryptographic algorithm was developed, that was implemented as a
pin-compatibile chip.
Phones that featured this chip were advertised as
NBSV-45 (Spendex 40)
and DWBST-55 (Spendex 50)
but were never taken into production due to lack of sufficient orders.
As a result the alternative chip wasn't produced either.
|
|
Products based on the OQ4430
|
|
|
|
OQ4434, OQ4435 and OQ4436
|
|
|
In the late 1980s, the Philips Crypto roadmap was extended with a series
of products referred to as 'the new generation crypto equipment',
also known as NGC. The NGC allowed much higher encryption speeds, had
multi-channel encryption, and comprised all applications, such as secure
voice (narrowband and wideband), secure fax, and secure data (X.25 at
layers 2, 3 and 4 and Link).
Consequently, Philips started development of a series of 'next-generation'
crypto chips. Although the principle is based on the earlier OQ4406/07 chips,
they are in fact much more complex and can be regarded as enhanced
versions of the earlier OQ4406 and OQ4407 chips.
|
As Philips wanted the new chips to be used in a variety of products that would
in turn be sold to a variety of governmental and non-governmental customers,
it was decided to develop different variants: the OQ4434, OQ4435 and OQ4436.
The chips were pin-compatible but contained different cryptographic building
blocks. This allowed Philips to sell the same product to different customers
without jeopardizing (state) security. Depending on the customer and/or the
application, a different chip would be selected, keeping the application
functionally identical.
|
|
|
Both the OQ4434 and the OQ4436 were equipped with compatibility modes,
providing backwards compatibility with the older OQ4407 and OQ4406 respectively.
A vast number of crypto-logics could be realized with these chips, including
all existing old variants and turbo 12-wheel versions of the OQ4406
and OQ4407.
The OQ4435 was not related to any previous crypto chip.
It was also a stream cipher based on the same principle and it included a
random generator.
All three chips were used from 1990 onwards in a new range of
crypto products, such as the PNVX phones,
the PFDX fax encryptor
and the PLDX data encryptor.
|
The image on the right shows an example of a crypto heart that was used in
these products.
In many cases two OQ443x chips were used in order to obtain a full-duplex
data stream (send and receive at the same time), whilst a small 8051
microcontroller (here visible at the center) was used for the configuration
and control of the cryptographic building blocks inside the chips.
The PCB shown here was the crypto heart of a PNVX phone
and contains two OQ4436 chips. It was used by the Dutch Government
for voice communication at the highest level (top secret).
|
|
|
A single OQ4434 was also implemented in the
PFX/PM hand-held radio,
where it was used for simplex voice communication.
The same chip was later used in the MDT data terminals
of the Eindhoven Police Department, for which it had to be repackaged
in order to fit a PCMCIA card.
The OQ4436 was used again in the Aroflex II (T-1285).
As the chip was an enhanced version of the earlier OQ4406, it allowed the
Aroflex II to be backwards compatibile with
the old Aroflex.
|
|
Products based on the OQ4434/35/36
|
|
|
In the mid-1990s, Philips recognized the need to develop a new generation
of faster and more versatile crypto chips.
Unlike previous chips, that were implementations of proprietary stream
cipher algorithms, the new chip would use modern mathematical
cryptographic algorithms such as DES and RSA.
The new chip was called General Crypto Device (GCD) and was (co)developed
with the Institut für Angewandte Mikroelektronik (IAM)
in Braunschweig (Germany). The design was later held by SICAN in Hamburg,
which was taken over in 2000 by Infineon (now: Sci-worx).
|
Some backend processing was done in Vught (Netherlands)
by Pijnenburg Custom Chips BV (later: Securealink),
which is why their name appears on the chip.
Pijnenburg was taken over in 2001 by
SafeNet and in
2010 by AuthenTec (US).
The chip was produced by ES2 in France.
The GCD contained building blocks for DES, IDEA and RSA and was
available to the general public.
Although Philips never implemented the GCD in any product, it was used
in an early prototype of the V-kaart.
Furthermore, it was the foundation on which the later
GCD-PHI chip was based.
|
|
|
At the heart of the GCD chip is an application-specific
32-bit RISC core, known as the Arithmetic Processor.
It is optimized for high performance arithmetic functions and allows
up to four parallel operations on registers, memory and pointers,
much like a DSP. Below is a simple block diagram.
The chip has a flexible I/O controller that can be adapted to accommodate
virtually any host bus, allowing data transfer speeds up to
160MB/s. Also embedded on the chip is a Random Number Generator (RNG) and
an industry-standard 8-bit 8051 microcontroller,
that can be used for the implementation of a user interface
such as a keypad, a display or a smart-card reader [1].
|
The GCD chip is implemented as an Application-Specific Integrated
Circuit (ASIC) in 0.6 mm standard cell technology.
It operates at 3.3V and contains approx. 400,000 transistors.
Although the ASIC is clocked at a modest 25MHz, the DES algorithm can be
executed at 100Mb/s when running in ECB, CBC, CFB and OFB
cipher modes.
As the individual crypto functions can be accessed directly by the
program, the chip is not limited to DES and RSA, but can also be used for
proprietary and future algorithms, with the only limitation being the
4MB on-chip memory.
|
|
|
To assist developers with the implementation of the GCD chip in their
designs and software, the evaluation board shown above was made available
by the manufacturer.
|
The GCD-PHI chip was in fact a further development of the earlier General
Crypto Device (GCD). It was developed a few years later, after ES2 had stopped
the production of the original GCD, due to lack of sufficient orders.
The extension PHI to the name of the chip (GCD-PHI) clearly refers
to PHILIPS. It was commonly written as GCD-Φ (with the Greek letter PHI).
|
The GCD-Φ became available by the end of 1997 and was used as the
heart of the
V-kaart, a data security product that Philips
developed for the Dutch Government and the Dutch Army.
Philips included features that made it possible to develop
products for (state) secret applications.
Nevertheless, the chip was available to other manufacturers and was used
in a number of consumer products, such as equipment for financial transactions
(e.g. PIN terminals).
Philips actively promoted the GCD-Φ by releasing a datasheet under NDA
and a 4-page brochure [3].
|
|
|
According to the brochure,
the chip was suitable for the implementation of
the standard algorithms of the era, including DES, IDEA, RSA and SHA,
but also for customer-specific algorithms.
It featured:
|
- Programmable advanced block cipher core (64-160 bits wide)
- Second substitution box organized as two independent byte-look-up tables
- Built-in Random Number Generator (RNG)
- 32Kb on-chip RAM
- 128-bit hyper-secure on-chip memory 1
|
Like the earlier GCD chip,
the GCD-Φ allowed encryption rates up to 100 Mb/s.
The GCD-Φ chip is implemented as an Application-Specific Integrated
Circuit (ASIC) in 0.5µ standard cell technology. It operates at 3.3V,
contains approx. 200,000 logic gates and is clocked at 48 MHz.
The block cipher core is highly versatile with dynamic per-round configuration.
It also provides an efficient implementation of the secret NSA
Type 1
BATON block cipher algorithm.
According to the brochure, the GCD-Φ was used in a number of
real (Philips) products, including the Virtual Private Network Guard
(VPN Guard), V-kaart
and a 2Mbps Link Encryption System PLDX 6142 (LES).
When Philips Crypto closed down in 2003,
the V-kaart project was
taken over by Fox-IT (Delft, Netherlands),
whilst the two other products
went to Compumatica (Uden, Netherlands).
➤ Download the brochure
|
-
This memory can be erased instantly in case of an emergency,
even when running in battery backup mode.
|
Immediately after the introduction of the GCD-Φ, Philips started
development of an improved version of the chip, designated GCD-PHI 2000
or GCD-Φ 2000. It was a drop-in replacement for the earlier GCD-Φ,
but had improved performance, expanded capacity and extra features.
|
Compared to the earlier GCD-Φ, the 2000-version
had some additional features, such as
a programmable 32-bit permutation, and the on-chip RAM that
had been increased to 64Kb.
At the same time, the built-in hyper-secure memory was doubled
from 128 to 256 bits.
Most important was its on-board integrity check mechanism,
designed to guard the integrity for the RAM and box contents.
With this mechanism, the AP-program and the contents of the S-boxes
and programmable permutation were effectively secured against manipulation
and chip defects.
|
|
|
The image above shows two GCD-Φ 2000 chips as they were finally produced.
The GCD-Φ 2000 chip is implemented in 0.35µ three metal layer technology
with 340,000 gate equivalents, and allows a clock frequency of 60 MHz.
A special evaluation board
was available for developers.
|
Although the GCD-Φ family was really state-of-the-art when it was
introduced, the chips were not very efficient for modern algorithms like AES.
According to the brochure, Philips had the intention to expand their
range of crypto chips in order to support emerging standards [4].
Unfortunately, these never saw the light of day, as Philips Crypto was dissolved
in 2003 due to lack of orders.
The rights to the GCD-Φ (2000) were transferred to Dutch
crypto company Fox-IT who successfully
implemented it in some of its products, including the
FFFE crypto card.
|
|
|
The Fort Fox File Encryptor (FFFE), which was in
fact the successor to the Philips V-Kaart
— or more precisely: the spun-off C-card) —
and was used extensively by the Dutch Goverment for many years up to
the level of SECRET (Stg. Geheim).
FFFE was finally phased out in early 2012.
|
|
Products based on the GCD, GCD-Φ and GCD-Φ 2000
|
|
|
- Nikolaus Lange, Single-Chip Implementation of a Cryptosystem for Financial Applications
SICAN Braunschweig GmbH.
Financial Cryptography, First International Conference, February 1997.
Springer-Verlag. ISBN 3-540-63594-7. pp. 135-144.
- P. Arora, M. Dugan, P. Gogte, GMU, Survey of commercially available cryptographic...
...chips and IP cores implementing cryptographic algorithms.
December 2005.
- Philips Crypto BV, GCD-Φ General Crypto Device (brochure)
9922 154 22011. Date unknown; probably around 1997.
- Philips Crypto BV, GCD-Φ 2000, General Crypto Device (brochure)
9922 154 22451. Date unknown; probably around 2000.
|
|
|
Any links shown in red are currently unavailable.
If you like the information on this website, why not make a donation?
© Crypto Museum. Created: Saturday 27 October 2012. Last changed: Monday, 13 May 2024 - 21:21 CET.
|
|
|
|
|