Two months ago, I wrote about how Dave Brier of Texas Instruments proposed that the EDA industry use the public-domain PGP encryption scheme to protect distributed intellectual property. "Our idea is to use a true encryption engine, with no proprietary anything, to create secure source files for the exchange of IP via PGP," wrote Dave. "PGP is readily available around the world and easily used. We are proposing that all EDA tools be able to call the PGP algorithm when they read a file if required."
Another user, John Allen of Iron Bridge Networks, agreed in principle with Dave, writing, "PGP is the most underused technology of the late 20th century. Very sad. It deserves great success. Even Intel supports PGP, but most people are clueless about it."
But, in the Internet marketplace of ideas, it turns out at least one EDA vendor saw some real holes in Dave Brier's egalitarian PGP IP proposal.
"It doesn't matter what encryption algorithm is chosen, it doesn't solve the problem," wrote Steven Sharp of Cadence. "The problem is, who gets the key? You can't put the key into some published standard, because then anyone could decrypt and steal the code. IP vendors can't give their key to their licensed users, because if the user could be trusted, the encryption wouldn't have been needed. That means that the key has to be embedded in the tools.
"Now the question becomes, which tool vendors do we trust with this key?" continued Steven. "Since it is a standard, should we give it to any vendor who wants it? What about a vendor whose product is a code decrypter to let people steal IP, or is just a front for a company stealing IP?
"One possible alternative would be for each IP vendor to use a different key and provide it to those vendors they consider trustworthy. This would complicate the entire process, and is still susceptible to leaks and the resulting finger-pointing.
"There are other weaknesses in using a standard encryption package. Since every user has a decrypter built into their tools, they can try to reverse-engineer it enough to extract a key or the decrypted model. The more that is known about the algorithms and the code, the easier this is. If it is some separate program with publicly available source code, it is a trivial matter of modifying it to print out the decrypted source that is being fed back into the tool.
"People who talk about standard code encryption don't understand the problem that is being solved," Steven concluded.
Wow, he's not holding back one bit; he really doesn't think PGP solves anything. Whoa.
John cooley runs the E-mail Synopsys Users Group (esnug), is a contract ASIC designer and loves hearing from engineers at jcooley@world.std.com or (508) 429-4357.
RSS
RSS| 
Digital| 
Mobile
