|
|
|
|
|
|
Developed by Philips Usfa/Crypto
This page describes the evolution of dedicated cryptographic chips
developed by Philips Usfa (later: Philips Crypto) over the years.
Most of these were developed exclusively for use in
Philips' cryptographic appliances,
but later chips were used in products of other companies as well.
|
As Philips was also a manufacturer of semiconductors, they were able to
develop and build their own chips. Some divisions of Philips, such as the
professional camera division (BTS) already used these facilities to produce
custom chips that were not available to other customers.
Such chips would generally get a so-called OQ-number,
with the OQ44xx range reserved for Philips Usfa.
The image on the right shows an early production sample of the
OQ4430
(see below). This chip was developed in the mid-1980s for some of the
Spendex voice ciphers.
|
|
|
The first crypto chips were developed around 1974/75 especially for the
Aroflex range of cipher machines. Until that time,
the crypto-heart of all Philips cipher machines consisted of discrete electronics.
The OQ4406 was intended for use by NATO and the Dutch Government,
while the OQ4407 was used for all other customers.
The OQ4406 was also used in
Picoflex,
in a tick film hybrid module.
The timeline below shows roughly when the various crypto chips were
developed.
The early OQ4406/07
chips lasted until they were replaced by their successors
OQ4434/35/36 around 1990.
In the meantime, around 1985, philips had created the
OQ4430 especially for voice encryption
by implementing the highly classified American Type-1
SAVILLE algorithm.
In the mid-1990s, Philips moved away from proprietary stream
cipher encryption methods that found their origin in the ancient
(wheel-based) mechanical models, and developed a
range of mathematical crypto processors with building blocks to create
algorithms like DES and RSA. These chips were commercially available
to third parties under a so-called Non-Disclosure Agreement (NDA).
|
The OQ4406 and OQ4407 were the first generation of custom-built crypto chips
used in Philips cipher equipment.
Each chip contained a complex non-linear
shift register that could be seen as an advanced electronic version of
a coding wheel of a mechanical cipher
machine, such as the war-time German Enigma machine,
the later Russian Fialka
and the American KL-7 (Adonis).
|
By connecting several of these chips in a chain,
a stream cipher could be realized. Such a cipher could be viewed
as an electronic version of a mechanical cipher machine.
Generally, 8 such chips were used in the
In the Aroflex machine.
To hide the electronics from prying eyes and as an elementary
anti-tamper measure, the crypto heart was
usually hidden inside a
foam block.
The image on the right shows the interior of an
Aroflex crypto heart.
The OQ4406 was approved for TOP SECRET and NATO SECRET
messages.
The OQ4407 was used for all other customers.
|
|
|
Both chips could be connected in several ways, giving some level of
configurability. This allowed the designers to create different crypto hearts
for different customers.
The OQ4406 was later used (around 1980) in the portable
Picoflex machine as well. Being NATO CEROFF standard,
the Picoflex was compatible with the NATO version of
Aroflex
and the Norwegian RACE (KL-51).
Products based on the OQ4406/07
|
In the early 1980s, Philips decided to develop the narrow-band crypto phone
Spendex 40 for use by the Dutch Government and the Army.
As it was their intention to sell this phone to NATO as well,
the NSA-developed
SAVILLE algorithm was used.
It was thought that by using an existing already-approved algorithm,
the time-to-market of the Spendex 40 would be shortened.
|
By special permission of the NSA,
Philips is believed to be the first non-US
company to be allowed to implement the
SAVILLE algorithm in their own chip.
The result is the OQ4430.
The same OQ4430 chip was later used in the military
Spendex 50 (DBT) wide-band
crypto phone, that was developed shortly after the Spendex 40
for use with the Dutch
ZODIAC combat communication network.
The image on the right shows an OQ4430 chip on the crypto board of the
Spendex 50. Three such chips were generally combined for fail-safe operation.
|
|
|
As the SAVILLE algorithm
was implemented in the OQ4430, it was difficult
for Philips to sell the Spendex 40
and Spendex 50 phones to other customers
and countries, as they would need
NSA-approval on each occasion. Nevertheless,
both phones were used exensively by NATO, the Dutch Government and by some
other countries such as the UK and Germany.
Products based on the OQ4430
|
|
|
|
In the late 1980s, the Philips Crypto roadmap was extended with a series
of products referred to as 'the new generation crypto equipment',
also known as NGC. The NGC allowed much higher encryption speeds, had
multi-channel encryption, and comprised all applications, such as secure
voice (narrowband and wideband), secure fax, and secure data (X.25 at
layers 2, 3 and 4 and Link).
Consequently, Philips started development of a series of 'next-generation'
crypto chips. Although the principle is based on the earlier OQ4406/07 chips,
they are in fact much more complex and can be regarded as enhanced
versions of the earlier OQ4406 and OQ4407 chips.
|
As Philips wanted the new chips to be used in a variety of products that would
in turn be sold to a variety of governmental and non-governmental customers,
it was decided to develop different variants: the OQ4434, OQ4435 and OQ4436.
The chips were pin-compatible but contained different cryptographic building
blocks. This allowed Philips to sell the same product to different customers
without jeopardizing (state) security. Depending on the customer and/or the
application, a different chip would be selected, keeping the application
functionally identical.
|
|
|
Both the OQ4434 and the OQ4436 were equipped with compatibility modes,
providing backwards compatibility with the older OQ4407 and OQ4406 respectively.
The OQ4435 was not related to any previous crypto chip.
All three chips were used from 1990 onwards in a new range of
crypto products, such as the PNVX phones,
the PFDX fax encryptor
and the PLDX data encryptor.
|
The image on the right shows an example of a crypto heart that was used in
these products.
In many cases two OQ443x chips were used in order to obtain a full-duplex
data stream (send and receive at the same time), whilst a small 8051
microcontroller (here visible at the center) was used for the configuration
and control of the cryptographic building blocks inside the chips.
The PCB shown here was the crypto heart of a PNVX phone
and contains two OQ4436 chips. It was used by the Dutch Government
for voice communication at the highest level (top secret).
|
|
|
A single OQ4434 was also implemented in the
PFX/PM hand-held radio,
where it was used for simplex voice communication.
The same chip was later used in the MDT data terminals
of the Eindhoven Police Department, for which it had to be repackaged
in order to fit a PCMCIA card.
The OQ4436 was used again in the Aroflex II (T-1285).
As the chip was an enhanced version of the earlier OQ4406, it allowed the
Aroflex II to be backwards compatibile with
the old Aroflex.
Products based on the OQ4434/35/36
|
|
|
|
In the mid-1990s, Philips recognized the need to develop a new generation
of faster and more versatile crypto chips.
Unlike previous chips, that were implementations of proprietary stream
cipher algorithms, the new chip would use modern mathematical
cryptographic algorithms such as DES and RSA.
The new chip was called General Crypto Device (GCD) and was (co)developed
with the Institut für Angewandte Mikroelektronik (IAM)
in Braunschweig (Germany). The design was later held by SICAN in Hamburg,
which was taken over in 2000 by Infineon (now: Sci-worx).
|
Some backend processing was done in Vught (Netherlands)
by Pijnenburg Custom Chips BV (later: Securealink),
which is why their name appears on the chip.
Pijnenburg was taken over in 2001 by
SafeNet and in
2010 by AuthenTec (US).
The chip was produced by ES2 in France.
The GCD contained building blocks for DES, IDEA and RSA and was
available to the general public.
Although Philips never implemented the GCD in any product, it was used
in an early prototype of the V-kaart.
Furthermore, it was the foundation on which the later
GCD-PHI chip was based.
|
|
|
At the heart of the GCD chip is an application-specific
32-bit RISC core called the Arithmetic Processor.
It is optimized for high performance arithmetic functions and allows
up to four parallel operations on registers, memory and pointers,
much like a DSP. Below is a simple block diagram.
The chip has a flexible I/O controller that can be adapted to accommodate
virtually any host bus, allowing data transfer speeds up to
160MB/s. Also embedded on the chip is a Random Number Generator (RNG) and
an industry-standard 8-bit 8051 microcontroller,
that can be used for the implementation of a user interface
such as a keypad, a display or a smart-card reader [1].
The GCD chip is implemented as an Application-Specific Integrated
Circuit (ASIC) in 0.6mm standard cell technology.
It operates at 3.3V and contains approx. 400,000 transistors.
Although the ASIC is clocked at a modest 25MHz, the DES algorithm can be
executed at 100Mb/s when running in ECB, CBC, CBF and OFB cipher modes.
As the individual crypto functions can be accessed directly by the
program, the chip is not limited to DES and RSA, but can also be used for
proprietary and future algorithms, with the only limitation being the
4MB on-chip memory.
|
The GCD-PHI chip was in fact a further development of the earlier General
Crypto Device (GCD). It was developed a few years later, after ES2 had stopped
the production of the original GCD, due to lack of sufficient orders.
The extension PHI to the name of the chip (GCD-PHI) clearly refers
to PHILIPS. It was commonly written as GCD-Φ (with the Greek letter PHI).
|
The GCD-Φ became available around 1997 and was used as the heart of the
V-kaart, a data security product that Philips
developed for the Dutch Government and the Dutch Army.
Philips made it possible to include
features that would make it suitable for (state) secret applications.
Nevertheless, the chip was available to other manufacturers and was used
in a number of products, such as equipment for financial transactions
(e.g. PIN terminals).
Philips actively promoted the GCD-Φ by releasing a datasheet under NDA
and a 4-page brochure [3].
|
|
|
According to the brochure,
the chip was suitable for the implementation of
the standard algorithms of the era, including DES, IDEA, RSA and SHA,
but also for customer-specific algorithms.
It featured a programmable advanced block cipher core (64-160
bits wide), a built-in Random Number Generator (RNG),
32Kb on-chip RAM and 128-bit hyper-secure on-chip
memory that could be erased instantly in case of an emergency,
even when running in battery backup mode.
Like the earlier GCD chip,
the GCD-Φ allowed encryption rates up to 100 Mb/s.
According to the brochure, the GCD-Φ was used in a number of
real (Philips) products, including the Virtual Private Network Guard
(VPN Guard), V-kaart
and a 2Mbps Link Encryption System PLDX 6142 (LES).
When Philips Crypto closed down in 2003,
the V-kaart project was
taken over by Fox-IT (Delft, Netherlands),
whilst the two other products
went to Compumatica (Uden, Netherlands).
|
Immediately after the introduction of the GCD-Φ, Philips started
development of an improved version of the chip, designated GCD-PHI 2000
or GCD-Φ 2000. It was a drop-in replacement for the earlier GCD-Φ
but had improved performance. It had some additional features, such as
a programmable 32-bit permutation, the on-chip RAM was increased to 64Kb
and the built-in hyper-secure memory was also doubled (256 bits).
|
Although the GCD-Φ family was really state-of-the-art when it was
introduced, the chips were not very efficient for modern algorithms like AES.
According to the brochure, it was Philips' intention to expand their
range of crypto chips in order to support emerging standards [4].
Unfortunately, these never materialized, as Philips Crypto was dissolved
in 2003 due to lack of orders.
The rights to the GCD-Φ and GCD-Φ 2000 were transferred to Dutch
crypto company Fox-IT who successfully
implemented it in some of their products, including the
FFFE crypto card.
|
|
|
The Fort Fox File Encryptor (FFFE) was in
fact the successor to the Philips V-Kaart
(or more precisely: the C-card),
and was used extensively by the Dutch Goverment for many years up to
the level of SECRET (Stg. Geheim).
The FFFE was finally phased out in early 2012.
|
- Nikolaus Lange, Single-Chip Implementation of a Cryptosystem for Financial Applications
SICAN Braunschweig GmbH.
Financial Cryptography, First International Conference, February 1997.
Springer-Verlag. ISBN 3-540-63594-7. pp. 135-144.
- P. Arora, M. Dugan, P. Gogte, GMU, Survey of commercially available cryptographic...
...chips and IP cores implementing cryptographic algorithms.
December 2005.
- Philips Crypto BV, GCD-Φ General Crypto Device (brochure)
9922 154 22011. Date unknown; probably around 1997.
- Philips Crypto BV, GCD-Φ 2000, General Crypto Device (brochure)
9922 154 22451. Date unknown; probably around 2000.
|
|
|
|
Any links shown in red are currently unavailable.
If you like this website, why not make a donation?
© Copyright 2009-2013, Paul Reuvers & Marc Simons. Last changed: Monday, 04 March 2013 - 18:06 CET
|
 |
|
|
