The long-awaited response from internet engineers to Edward Snowden's revelations of mass surveillance by the US government has been launched in Berlin.
The CrypTech project launched an alpha prototype of its open-source crypto-vault at the 96th meeting of the Internet Engineering Task Force (IETF), and held a two-day workshop prior to the meeting to walk a closed group of net nerds through it.
The prototype will be shown at several encryption sessions at the conference later this week, and the team is selling a small initial batch of the cards – between 25 and 50 of them – online for $800.
"Building open-source hardware is expensive," the group notes. The units will be shipped in September. At the time of writing, just two had been sold.
CrypTech describes itself as "an open hardware cryptographic engine that meets the needs of high assurance Internet infrastructure systems that rely on cryptography." It was launched in December 2014. Despite some heavy backing from Google, Cisco and Comcast, it put out a request for funds in April last year to keep moving forward.
Those funds arrived and the prototype works, the small group of testers and developers announced (having squashed a few bugs). It runs on both open hardware and software designs.
The CrypTech team is diverse: as well as the United States, it has members in Germany, Japan, Russia and Sweden. It has proposed a $1m-a-year budget and a three-year plan to launch and improve its product. The plans will be open-source and the license will "enable use and reuse," according to the team.
The board itself is basically a classic hardware security module (HSM) designed to perform strong cryptography away from prying eyes.
It securely stores public/private key pairs used in digital certificates. Applications running on other computers talk to the board via PKCS#11 over USB. The board performs the necessary operations, such as digital signing for DNSSEC, for the applications without the secret private keys leaving the CrypTech hardware.
Thus, the keys are physically kept separate from the software using them, so if the app code is compromised, the protected digital certificates are not: they remain exclusively inside the HSM.
The alpha board comprises software and configurable hardware that can carry out a range of cryptographic operations. It contains an ARM Cortex-M4 processor and a programmable chip – an Artix-7 field-programmable gate array – that can support applications with high-security signing requirements.
Those at the workshop spent most of their time installing and configuring the device and testing the DNSSEC security protocol. The team also has a list of improvements it is working on, including the addition of a battery backup for the device. ®