Rambus

At Rambus, we create cutting-edge semiconductor and IP products, spanning memory and interfaces to security, smart sensors and lighting.

Home > Blogs

Rambus 112G SerDes PHY Article in eeweb.com/EE Times

by Leave a Comment

Ken Dyer, Director, Engineering Architecture, is the author of a 112G Long Reach (LR) SerDes PHYarticle in eeweb.com/EE Times network.

The 112G is coming on to the market to comply with growing demands for greater bandwidth for next generation data centers as well as for advanced applications like artificial intelligence (AI) and machine learning, as well as 5G communications.

Dyer calls Rambus’ 112G LR SerDes PHY “the top contender to boost greater performance with acceptable power and area” for those next generation data center and network systems designs.  His article details the new advanced SerDes PHY. However, he explains to SoC and network system designers that they may want data in different ways.

He said, “They also may opt to have a forward error correction (FEC) on the output of the receiver to improve bit error rate (BER) of the received data.  FEC performs that operation by using redundancy.  It transmits slightly faster than the data required, hence extra information is transmitted.  By reviewing the extra information in the received signal, FEC determines if mistakes have occurred or not.”

Dyer calls special attention to today’s higher serial data rates and added that four-level pulse amplitude modulation or PAM-4 has made its entrance and explained how it plays into the 112Gbps SerDes PHY.

He said that “We first need to look at Nyquist loss for NRZ data for a generic legacy channel and for 112Gbps data transmission. Nyquist loss is the insertion loss of the input signal at half the symbol rate.  For NRZ at 112Gbps, its nominally 56GHz. NRZ is two-level data and it’s at a relatively low 70 decibels (dB) at 56 Gigahertz (GHz).

“In short, crosstalk has more power than the signal, hence signal-to-noise ratio (SNR) is negative.  This means error-free communication or signal recovery is not possible.  In this case, if a transmitter is operated at 56Gpbs, data would not be received at all. Therefore, PAM-4 becomes a more viable solution than the traditional NRZ (non-return-to-zero).”

Be looking for sequels to this first 112G LR article in eeweb.com/EE Times network.  Articles, like this one, are designed to help SoC and data center system designers to prepare their next generation designs.

 

112G LR SerDes PHY Ready for Next-Gen Networking Gear

by Leave a Comment

Rambus has officially announced the 112G Long Reach (LR) SerDes PHY. Hemant Dhulla, VP and GM of IP Cores, said, “By leveraging leading 7nm process technology, Rambus is enabling the next generation of communications and data center applications.”

He further stated, “We’re excited to continue to expand our IP portfolio and deliver our customers top-of-the-line performance and flexibility for today’s most challenging systems, including solutions like our 112G LR SerDes PHY.”

As the industry rapidly transitions to 400GB and 800GB wired communication applications, 112G is a key building block necessary to support the ever-growing demand for more bandwidth in data center and network applications, doubling the data rate of 56G SerDes.

Rambus is at the forefront of implementing 112G design to address the long-reach backplane requirements for next-generation data-intensive applications. Those applications include generation terabit switches, routers, optical transport networks (OTNs), and high-performance networking equipment.

The new Rambus 112G LR SerDes PHY provides the optimal combination of power efficiency, performance and area, adding to Rambus’ leading-edge large portfolio of silicon-proven intellectual property (IP), design tools and reference flows. With the introduction of 112G, this technology achieves higher performance to rapidly enable industry infrastructure for the 400GB and 800GB applications.

The 112G LR SerDes PHY uses both PAM4 and NRZ (PAM2) signaling to provide reliable operation across a broad range of data rates. As such, they support legacy protocols, and provide the scalability to achieve the highest levels of performance.

They are built on a configurable architecture, enabling power to be matched to the channel loss. An embedded micro-processor enables firmware-controlled PMA configuration, initialization and adaption for maximum flexibility with minimum SoC integration effort.

The 112G LR SerDes PHY also provides SoC and system designers two other key features.  Its DSP-based architecture hands them improved signal to noise (SNR) and extended reach.  Plus, the 112G is configurable to provide power, performance, and area (PPA) optimization for medium reach (MR) and long reach (LR) applications.

This latest portfolio addition highlights Rambus leadership in high-speed SerDes PHY IP, leveraging the company’s long tradition of signal and power integrity expertise — remaining at the forefront of innovation in interface technology.

For more on the Rambus 112G LR SerDes PHY, check out our eBook.
Download Rambus 112G XSR and LR SerDes PHYs

What is network tokenization?

by Leave a Comment

Andre Stoorvogel, Director, Product Marketing, Rambus Payments

We are seeing an unprecedented shift in consumer spending habits. One in five global transactions are now ‘digital’, with online commerce growing at over six times the rate of in-store sales. But this rapid growth is introducing new challenges. Fraud is rising, yet merchants are under pressure to deliver the seamless payment experiences that consumers increasingly demand.

Network tokenization is one of many technologies that online merchants are turning to in a bid to strike the right balance between high security and a frictionless buying experience.

Yet, we should not think of network tokenization as an optional add-on. Rather, it is a foundational technology enabling secure, simple digital commerce.

What is network tokenization?

With network tokenization, the payment networks replace a primary account number (PAN) with a unique EMV®* payment token that is restricted in its usage, for example, to a specific device, merchant, transaction type or channel.

The question is, how is network tokenization different to existing third-party proprietary tokens?

The main (and crucial) difference is that network tokenization ensures that card details are protected throughout the entire transaction lifecycle. Non-network tokens don’t offer this end-to-end security, introducing weaknesses at various points for fraudsters to exploit.

Network tokenization also introduces improved credential lifecycle management to keep card details current, whereas proprietary tokens do not always have issuer permission to access and manage the underlying account data.

Finally, network tokenization opens opportunities for new, enhanced buying experiences across existing and emerging channels.

What are the benefits of network tokenization for online commerce?

To fully appreciate the unique value that network tokens bring to the payments ecosystem, we need to understand how they can address the key pain points for e-commerce merchants.

 

 

  • Reducing the cost of fraud

We can’t get away from it. Online commerce has a fraud problem.

E-commerce fraud is growing twice as fast as e-commerce sales, with retailers set to lose$130 billion between 2018 and 2023.

We should not be surprised that one in two US merchants see fraud prevention as ‘an increasingly challenging task’. They are already spending$3.48 to combat every dollar of fraud (and this is set to rise with the global cost of fraud prevention increasing by 4% year-on-year).

And yet, the fraud rates keep on climbing. In a hyper-competitive industry where every cent counts, blindly throwing money at a problem is not a sustainable strategy.

The end-to-end security proposition of network tokenization significantly reduces the risk, and mitigates the impact, of malware, phishing attacks and data breaches. Put simply, tokenized card data is useless if stolen and for this reason, network tokenization should be the foundation on which a layered fraud management approach is built.

  • Combatting false declines

Given the scale of the fraud challenge, merchants and issuers are understandably adopting a cautious approach. Transaction approval ratesfor digital transactions stand at around 85%, compared to 97% for in-store transactions.

This leads to a high prevalence of ‘false declines’, where a valid transaction from an authorized cardholder is rejected by the merchant. Often the cause is something simple, such as an outdated billing address, but the results can be incredibly damaging.

Globally, false declines cost merchants $331 billion. 66% of consumers stop shopping with a retailer after a false decline. Unnecessary declines outstrip actual fraud 13 times over. Most tellingly, US e-commerce merchants are losing a total of $8.6 billion to declines, compared to the $6.5 billion of fraud they are actually preventing.

Network tokens can increase approval rates to reduce instances of false declines. This is because card details are automatically updated and refreshed, making it less likely for an erroneous data point to raise a red flag. Also, tokenized transactions are inherently more secure so less likely to be viewed as risky.

  • Enhancing the checkout experience

Despite the huge challenges posed by rising fraud, it is telling that 91% of merchantsidentify ‘minimizing the amount of friction introduced into the user experience’ as the main priority when evaluating their approach to securing payments.

Introducing additional friction into the checkout process, then, is a no-go. But as network tokenization reduces the value of the underlying sensitive data, it adds an invisible layer of security.

We must also remember that merchants want to focus on payment innovation, not fraud prevention. Network tokenization is more than just a security play, and can be used to enhance the buying experience.

For example, it enables consumers to see a fully branded card when checking out, rather than a mish-mash of starred credentials and the final four digits. This boosts recognition, familiarity and engagement.

It also enables payment details to be instantly refreshed when a card is lost, stolen or expires. Better still, it can enable consumers to keep track of where and when their payment credentials are being used. For example, card details could easily be push provisioned to merchant apps.

What is the industry roadmap for network tokenization?

Given the clear benefits, we are already seeing strong momentum for network tokenization for card-on-file transactions. And with EMV® Secure Remote Commerce poised to debut in 2019, we can expect to see network tokenization extend to ‘guest checkout’ experiences.

There are options available for merchants and payment service providers (PSPs) looking to implement network tokenization solutions. For those with significant strategic resource, time and technical capacity, direct integration with the payment systems is an option.

Alternatively, for those looking to move quickly, qualified technology partners offer a fast-track to the immediate benefits of network tokenization (without the potential integration headaches).

For more information on network tokenization, visit the Rambus Payments Resource Library.

* EMV® is a registered trademark in the U.S. and other countries and an unregistered trademark elsewhere. The EMV trademark is owned by EMVCo, LLC.

Digital Trends highlights Rambus CryptoManager Root of Trust

by Leave a Comment

Jon Martindale of Digital Trendsrecently sat down with Ben Levine, Rambus’ senior director of product management, to discuss the ever-growing importance of designing secure processors in the wake of Meltdown and Spectre.

According to Levine, the semiconductor industry has traditionally maintained a reactive posture to security by waiting for critical vulnerabilities to surface before fixing them. Although there are many reasons for this approach, it is important to note that designing a secure, general-purpose processor has always been a rather challenging proposition.

As Levine point out, this is precisely why the Rambus CryptoManager Root of Trustshifts critical functionality from a complex, general-purpose CPU to a secure core that is siloed from the primary processor. Indeed, the Rambus CryptoManager Root of Trustcan be safely tasked with securing encryption keys, validating banking transactions, processing login attempts, storing private information in secure memory and validating that boot records haven’t been corrupted or compromised during startup.

“The idea is not to come up with one CPU that can do everything to be very fast and be very secure, but rather, let’s optimize different cores separately for different objectives,” Levine explains. “[We’re saying] let’s optimize our primary CPU for performance or lower power – whatever is important for that system – and optimize another core for security. [For example, implementing] cryptographic algorithms, encrypting or decrypting from an algorithm like AES, or using a public key algorithm like RSA or elliptic curve is relatively slow to do in software. [However], a security core [with] hardware accelerators can do it much faster.”

Depending on the application, says Levine, the use of a secure core will likely happen at the OS and system level, rather than the application level.

“If you’re building your OS and overall system software correctly, then you can utilize most of that security functionality without application developers having to worry about it,” he states. “You can provide APIs to expose some of the security core functionality that could easily be consumed by the application developer like encrypting and decrypting data.”

In addition, Levine notes that the Rambus CryptoManager Root of Trustsecure core is (physically) tiny in comparison to the primary processor.

“There’s really no significant impact on the cost of the chip, power, or thermal requirements. You can do a lot in a small logic area if you design it carefully. We’re shooting for simplicity and if you keep something simple you keep it small. If it’s small it’s low power,” he elaborates. “These cores should be and need to be much smaller than one of the main big CPU cores that you get in a chip from Intel or AMD. It won’t be seven plus one, it will be eight or whatever core processor and one or perhaps more than one, small security core that provides security functions for all of the other cores.”

 

Levine also emphasizes that there will always be additional exploits and vulnerabilities beyond Meltdown and Spectre.

“These exploits are not the only vulnerabilities out there. There will always be more. The complexity of modern processors makes that inevitable. Let’s change the problem and let’s accept that there will be more vulnerabilities in general purpose CPUs and the things that we care a lot about, like keys, credentials, data, let’s move it out of the CPU and let’s bypass the whole problem,” he concludes.

Interested in learning more about the Rambus CryptoManager Root of Trust? You can check out our CryptoManager Root of Trust product page hereand our CryptoManager Root of Trust white paper here.

Fault Injection Attacks PlayStation Vita’s SoC

by Leave a Comment

Security researcher Yifan Lu recently published a detailed paper that examines how voltage glitching causes critical timing violations in CMOS behavior. More specifically, Lu closely analyzes CMOS transistor behavior to better understand when the combinational logic is most susceptible to voltage glitch induced faults. The paper also describes a real-world fault injection attack against the PlayStation Vita’s SoC that gains early (boot time) execution control and dumps the secure boot ROM.

Picture of a lock on the board

As Lu notes, glitching, or fault injection, has been used for quite some time to attack software running on allegedly secure execution environments. This is because fault injections can cause a malfunction in the target’s SoC that enable an attacker to assume full control over a device. Voltage glitching, he says, is a specific kind of fault injection that is particularly appealing to attackers, as it is inexpensive to deploy and widely applicable to most chips. Crowbar glitching, he adds, was implemented in the ChipWhisperer open hardware platform and brought such attacks to the mainstream.

“It works by abusing the capacitance ringing effect caused by introducing a crowbar circuit into the existing system,” he explains. “The ringing causes faults that can be exploited.”

For the Vita attack, Lu closely examines how voltage glitches introduce timing violations into a digital circuit. He then finds snippets of code to glitch. Once a target is identified, he searches for the correct timing parameters for the crowbar circuit to cause a fault. Finally, the injected fault introduces a software vulnerability that is exploited to gain code execution.

“All of this can be done at a low cost thanks to the open hardware interface of the ChipWhisperer. With a custom script written for ChipWhisperer, we created a working attack on a security hardened consumer device,” he concludes.

From our perspective, the fault injection attack against the PlayStation Vita’s SoC could have been prevented if it had included a hardware-based security core. Siloed from the primary processor, such a security core is specially designed to securely run sensitive code, processes and algorithms. Indeed, a hardware-based security core can utilize advanced anti-tamper techniques to provide the highest level of security and protection against fault injection and other attacks. These include a canary core for the detection of glitching and over-clocking, logic and crypto redundancy, secure state encoding and ephemeral keys that are generated on-the-fly from multiple splits and flushed immediately after use.

In addition, a hardware-based security core can protect the host processor from compromise, as well as thwart non-volatile memory (NVM) key extraction, tearing and other attacks against NVM writes, corruption of non-volatile memory or fuses, probing of external buses, man-in-the-middle and replay attacks. Last, but certainly not least, a hardware-based security core can help protect SoCs against test and debug interface attacks, power/EM analysis (SPA/DPA) and other side-channel attacks, including timing attacks.

Interested in learning more about hardware-based security cores? You can check out our CryptoManager Root of Trust product page here.

Fault Injection Attacks: Bart Stevens Explains In eeweb.com/EE Times Article

by Leave a Comment

We’ve all heard about micro-architectural vulnerabilities, Meltdown, Spectre, and Foreshadow.  Volumes have been written about them in the trade and popular press. Indeed, they are the top villains of the electronics world.

Chip

Meanwhile, academicians and scholars are closely investigating yet another group of bad actors that – like those vulnerabilities – are up to no good and are also attacking electronics systems. These are fault injection attacks or FIAs.

Bart Stevens, Sr. Director, Product Management for the Cryptography Product Group, recently wrote a piece for eeweb.com/EE Times network to explain to SoC and system designers what FIAs are all about and how best to skirt them in their next generation designs.

Simply put, he says, the whole idea of an FIA is to make silicon do something else besides what it’s intended to. The attackers objective is to create a transient fault during the execution of some particular chip operation or lead to the reduction or disabling of security features and countermeasures.

Two examples Stevens writes about are voltage and clock glitching.  In the first one, he says the attacker increases voltage or creates a fake glitch in the system. As for clock glitching, he says one or more short pulses in the external clock are introduced to temporarily accelerate the chip’s clock.

Stevens tells eeweb.com/EE Times network readers that embedded security establishes the barriers to guard against FIAs and chip vulnerabilities.

“Certain key countermeasures like those in Rambus’ Root-of-Trust core are critical to assure the SoC and system designer an attacker is completely deprived of any attack avenue.  Those countermeasures include items such as critical control signal redundancy, canary logic, separated key bus logic and logic to protect cryptographic algorithm implementations,” Stevens asserts.

Check out Rambus’ DPA Workstation (DPAWS) that’s available with Riscure fault injection products offering complete fault injection functionality and differential fault analysis (DFA).