Implementation of Authentication Algorithms for FPGA Bit Stream Security Milind M. ParelkarIntroduction: Concerns over FPGA security have prompted FPGA vendors to introduce security features like bitstream encryption into their FPGAs. For example, the Virtex II Pro family manufactured by Xilinx has Triple-DES security embedded on the chip [6]. There are some apprehensions as to whether only encryption of the FPGA bitstream without bitstream authentication is sufficient to safeguard the design as well as the FPGA itself. Bitstream encryption serves the purpose of safeguarding IP from an intruder so that your design cannot be reverse-engineered easily. It still doesn’t prevent an attacker from putting some gibberish bitstream on to a remotely reconfigurable FPGA which might potentially destroy the FPGA [7]. Hence, bitstream authentication is an equally important aspect of FPGA security as bitstream encryption. Algorithms to be implemented and/or extended: The scope of the project is to implement bitstream authentication using HMACs with Secure Hash Algorithms. Since, the authentication engine will be a part of the FPGA fabric, the HDL codes need to be optimized for an ASIC implementation rather than an FPGA implementation. The algorithms under consideration at this point are: 1. HMAC SHA-1 2. HMAC SHA-256 3. HMAC SHA-384 4. HMAC SHA-512 Some other authentication algorithms may be studied if time permits. In case of some algorithms mentioned above, already existing codes for FPGA implementations will be used. The main objective is to optimize these codes for an ASIC implementation and extend them so that they have a common standard interface. In case of any problems with previous FPGA implementations of these algorithms, these algorithms will be implemented from scratch. Block Diagrams and Signal Descriptions: Block diagrams for all the algorithms to be implemented are provided in the specification. Along with the block diagram, a table indicating the functionality of the signals is also provided. The interfaces closely resemble commercially available IP Cores. Please note that the Block Diagram for SHA-384 is not provided because it is exactly similar to SHA-512 except for the size of the message digest. The length of the message digest for SHA-384 is 384 bits[5].The top-level view for HMAC is shown in the diagram below. Pin Functions: Signal Name Mode Port Width (Bits) Function Message Data In IN mi Message data is input to the Core through this port. Data is input as mi -bit blocks when the DATA READ signal is asserted. After the entire block of data (512 bits for SHA-1, SHA-256 and 1024 bits for SHA-384, SHA-512) is accepted by the core, DATA READ is de-asserted and no Input Data is accepted till DATA READ is asserted again. Last Data Bit Index IN b The index of the last data bit in the last mi -bit word should be input through this port. This is used for message padding and calculation of the length of the message. b=log2(mi) Data Available IN 1 Handshaking signal from the FIFO indicating that Data is available for input to the core. Data Read OUT 1 Control signal to the input FIFO in order to read the available data word. Key Available IN 1 Handshaking signal from the FIFO indicating that Key is available for input to the core. Key Read OUT 1 Control signal to the input key FIFO in order to read the available word of key. Key IN k The key for the MAC is input in terms of words k-bit wide. Start Data IN 1 A pulse on this signal indicates the beginning Message Data In mi Last Data Bit Index b Start Data Reset Clock mo MAC MAC Valid HMAC Core Data Available Data Read Data Write FIFO Full Key k End Data Start Key End Key Key Available Key Read Startof new message text to be hashed. End Data IN 1 A pulse on this signal indicates the end of the current message text to be hashed. Start Key IN 1 A pulse on this signal indicates the beginning of key being used for calculating MAC. End Key IN 1 A pulse on this signal indicates the end of key being used for calculating MAC. Start IN 1 This signal indicates start of a MAC calculation operation for a new message. Reset IN 1 Master Reset Clock IN 1 Master Clock MAC OUT mo MAC is available on this port when the MAC VALID signal is asserted. The length of the MAC will be variable depending upon the algorithm. MAC Valid OUT 1 Indicates MAC is valid when asserted. Data Write OUT 1 Control signal to the output FIFO in order to write the available MAC output. FIFO Full IN 1 Indicated that FIFO is full and cannot accept any more data The top-level entity shown above will be the common interface for all hash functions. The length of the MAC output will be decided by the hash function used. According to [8], the length of the MAC should be at least L/2, where L is the length of the hash output generated by the hash function. Circuit Operation: All the SHA functions included in the specification of this project have similar hardware architectures. The basic concept of all the Hash Functions is the same. All these Hash functions process an input of arbitrary length and compress it down to a message digest of fixed length[1,2]. HMACs provide a security feature by virtue of a secret key. The basic architecture of these functions can be divided into 2 modules. 1. Message Scheduler 2. Message Digest Unit The Message Scheduler Unit accepts an input message block and processes it to produce a message word per clock cycle. The Message Digest Unit accepts the output of the Message Scheduler and along with other constants and some arithmetic and logical operations produces a Message Digest after n iterative rounds. The value of n depends upon the algorithm. n=80 for SHA-1, SHA-512 and SHA-384, whereas n=64 for SHA-256.Language and Tools Language: VHDL Tools: • Simulator: Aldec Active-HDL v6.2, ModelSim • Synopsis Design Compiler and related tools • FPGA Synthesis Tools: Synplicity Synplify Pro v7.6.2, Xilinx XST v6.3 • FPGA Implementation Tools: Xilinx ISE v6.3 Testing VHDL testbench will be used to test the operation of the circuit. Test vectors provided in the specification for the HMACs in the NIST standard will be used to test the functionality of the circuit[5,8]. Optimization Criteria: The optimization criterion for implementation of bitstream authentication algorithms will be minimum area. As mentioned earlier, the authentication core will be a part of the
View Full Document
Unlocking...