Partitioned security processor architecture on FPGA platform

Rourab Paul; Sandeep Shukla

Partitioned security processor architecture on FPGA platform

View Fulltext

Author(s): Rourab Paul¹ and Sandeep Shukla¹
- Affiliations: 1: Computer Science Engineering Department , Indian Institute of Technology Kanpur , India
Source: Volume 12, Issue 5, September 2018, p. 216 – 226
DOI: 10.1049/iet-cdt.2017.0178 , Print ISSN 1751-8601, Online ISSN 1751-861X

Received 07/10/2017, Accepted 13/03/2018, Revised 26/01/2018, Published 06/04/2018

Internet protocol security (IPSec), secure sockets layer (SSL)/transport layer security (TLS) and other security protocols necessitate high throughput hardware implementation of cryptographic functions. In recent literature, cryptographic functions implemented in software, application specific integrated circuit (ASIC) and field programmable gate array (FPGA). They are not necessarily optimized for throughput. Due to the various side-channel based attacks on cache and memory, and various malware based exfiltration of security keys and other sensitive information, cryptographic enclave processors are implemented which isolates the cryptographically sensitive information like keys. We propose a partitioned enclave architecture targeting IPSec, TLS and SSL where the partitioned area ensures that the processor data-path is completely isolated from the secret-key memory. The security processor consists of a Trivium random number generator, Rivest–Shamir–Adleman (RSA), advanced encryption standard (AES) and KECCAK cryptos. We implement three different optimized KECCAK architectures. The processing element (PE) handles all communication interfaces, data paths, and control hazards of network security processor. The memory of KECCAK and AES communication is done via a direct memory access controller to reduce the PE overhead. The whole system is demonstrated by FPGA implementation using Vivado 2015.2 on Artix-7 (XC7A100T, CSG324). The performances of the implemented KECCAKs are better in terms of security, throughput and resource than the existing literature.

References

1. 1)
  - 19. Paul, R., Chakrabarti, A., Ghosh, R.: ‘Multi core SSL/TLS security processor architecture and its {FPGA} prototype design with automated preferential algorithm’, Microprocess. Microsyst., 2016, 40, pp. 124–136.
2. 2)
  - 2. Chen, X., Dick, R.P., Choudhary, A.: ‘Operating system controlled processor-memory bus encryption’. Design, Automation and Test in Europe, Munich, Germany, March 2008, pp. 1154–1159.
3. 3)
  - 26. Dierks, T., Rescorla, E.: ‘The transport layer security (TLS) protocol version 1.2’. 2008. Available at https://www.ietf.org/rfc/rfc5246.txt.
4. 4)
  - 23. Gaspar, L., Fischer, V., Bernard, F., et al: ‘HCrypt: a novel concept of crypto-processor with secured key management’. Int. Conf. on Reconfigurable Computing and FPGAs, Quintana Roo, Mexico, December 2010, pp. 280–285.
5. 5)
  - 18. Vassiliadis, S., Chaves, R., Kuzmanov, G.: ‘Reconfigurable cryptographic processor’. Proc. Workshop on Circuits, Systems and Signal Processing (ProRISC'06), Kyon, France, May 2006.
6. 6)
  - 7. Advanced Micro Devices: ‘Advanced synchronization facility, proposed architectural specification (revision 2.1)’. AMD Inc., 2013:43, 2013.
7. 7)
  - 20. Amon, Y., Ashkenazi, A., Akselrod, D.: ‘Platform independent overall security architecture in multi-processor system-on-chip ICS for use in mobile phones and handheld devices’. Proc. Conf. on Design, Automation and Test in Europe: Designers’ Forum, 2006, Budapest, Hungary, May 2006.
8. 8)
  - 12. Simmons, P.: ‘Security through amnesia: a software-based solution to the cold boot attack on disk encryption’. Proc. 27th Annual Computer Security Applications Conf. (ACSAC'11), ACM, New York, NY, USA, 2011, pp. 73–82.
9. 9)
  - 8. Dice, D., Lev, Y., Moir, M., et al: ‘Early experience with a commercial hardware transactional memory implementation’, SIGARCH Comput. Archit. News, 2009, 37, (1), pp. 157–168.
10. 10)
  - 43. Wang, C.-H., Lo, C.-Y., Lee, M.-S., et al: ‘A network security processor design based on an integrated SOC design and test platform’. Design Automation Conf., 2006 43rd ACM/IEEE, San Francisco, CA, USA, 2006, pp. 490–495.
11. 11)
  - 27. Peeters, M., Bertoni, G., Daemen, J., et al: ‘KECCAK sponge function family main document’. Available at http://keccak.noekeon.org, accessed April 2009.
12. 12)
  - 28. Shukla, S., Paul, R.: ‘A high speed KECCAK coprocessor for partitioned NSP architecture on FPGA platform’ (VDAT, India Springer, 2017).
13. 13)
  - 1. Gullasch, D., Bangerter, E., Krenn, S.: ‘Cache games-bringing access-based cache attacks on AES to practice’. Workshop COSADE, Washington, DC, February 2011, pp. 215–221.
14. 14)
  - 3. Wang, Z., Lee, R.B.: ‘A novel cache architecture with enhanced performance and security’. 41st IEEE/ACM Int. Symp. on Microarchitecture, November 2008, pp. 83–93.
15. 15)
  - 25. Gaspar, L., Fischer, V., Bossuet, L., et al: ‘Secure extension of FPGA general purpose processors for symmetric key cryptography with partial reconfiguration capabilities’, ACM Trans. Reconfigurable Technol. Syst., 2012, 5, (3), pp. 16:1–16:13.
16. 16)
  - 16. Hodjat, A., Verbauwhede, I.: ‘High-throughput programmable cryptocoprocessor’, IEEE Micro, 2004, 24, (3), pp. 34–45.
17. 17)
  - 10. Muller, T., Dewald, A., Freiling, F.C.: ‘AESSE a cold-boot resistant implementation of AES’. Proc. Third European Workshop on System Security, EUROSEC 2010, Paris, France, 13 April 2010, pp. 42–47.
18. 18)
  - 39. Jungk, B., Apfelbeck, J.: ‘Area-efficient FPGA implementations of the SHA-3 finalists’. Int. Conf. on Reconfigurable Computing and FPGAs, Cancun, Mexico, November 2011, pp. 235–241.
19. 19)
  - 32. Latif, K., Muzaffar Rao, M., Mahboob, A., et al: ‘Novel arithmetic architecture for high performance implementation of SHA-3 finalist KECCAK on FPGA platforms’ (Springer, Berlin, Heidelberg, 2012), pp. 372–378.
20. 20)
  - 33. Akin, A., Aysu, A., Ulusel, O.C., et al: ‘Efficient hardware implementations of high throughput SHA-3 candidates keccak, luffa and blue midnight wish for single- and multi-message hashing’. Proc. 3rd Int. Conf. on Security of Information and Networks, SIN'10, ACM, New York, NY, USA, 2010, pp. 168–177.
21. 21)
  - 15. Bartolini, S., Giorgi, R., Martinelli, E.: ‘Instruction set extensions for cryptographic applications’ (Springer, Boston, MA, 2009), pp. 191–233.
22. 22)
  - 45. McLoone, M., McCanny, J.V.: ‘A single-chip IPsec cryptographic processor’. IEEE Workshop on Signal Processing Systems, 2002 (SIPS'02), San Diego, CA, USA, October 2002, pp. 133–138.
23. 23)
  - 6. Müller, T., Freiling, F.C., Dewald, A.: ‘Tresor runs encryption securely outside ram’. Proc. 20th USENIX Conf. on Security (SEC'11), USENIX Association, Berkeley, CA, USA, 2011, pp. 17–17.
24. 24)
  - 4. Brickell, E., Graunke, G., Neve, M., et al: ‘Software mitigations to hedge AES against cache-based software side channel vulnerabilities’, 2006.
25. 25)
  - 48. Motorola: ‘Mpc 190 security processor fact sheet motorola 2003’ (Freescale Semiconductor, 2003). Available at https://www.nxp.com/docs/en/fact-sheet/MPC190FACT.pdf.
26. 26)
  - 41. Michail, H.E., Ioannou, L., Voyiatzis, A.G.: ‘Pipelined SHA-3 implementations on FPGA: architecture and performance analysis’. Proc. Second Workshop on Cryptography and Security in Computing Systems, CS2'15. ACM, New York, NY, USA, 2015, pp. 13:13–13:18.
27. 27)
  - 13. Gueron, S.: ‘Intel advanced encryption standard (AES) new instructions set’. Mobility Group, Israel Development Center, Intel Corporation, 2010.
28. 28)
  - 36. Yalla, P., Homsirikamol, E., Kaps, J.P.: ‘Comparison of multi-purpose cores of KECCAK and AES’. Design, Automation Test in Europe Conf. and Exhibition (DATE), Grenoble, France, March 2015, pp. 585–588.
29. 29)
  - 47. Rais, M.H., Qasim, S.M.: ‘FPGA implementation of Rijndael algorithm using reduced residue of prime numbers’. 4th Int. Design and Test Workshop (IDT), Riyadh, Saudi Arabia, November 2009, pp. 1–4.
30. 30)
  - 21. Anderson, R., Bond, M., Clulow, J., et al: ‘Cryptographic processors – a survey’, Proc. IEEE, 2006, 94, (2), pp. 357–369.
31. 31)
  - 17. Pericas, M., Chaves, R., Gaydadjiev, G.N., et al: ‘Vectorized AES core for high-throughput secure environments’ in ‘High performance computing for computational science – VECPAR 2008’ (Springer-Verlag, Berlin, Heidelberg, 2008), pp. 83–94.
32. 32)
  - 14. Xilinx XAPP 374: ‘Cryptoblaze: 8-bit security microcontroller’, XAPP374 (v1.0), 2012:368, 26 September 2003.
33. 33)
  - 30. Provelengios, G., Kitsos, P., Sklavos, N., et al: ‘FPGA-based design approaches of KECCAK hash function’. 15th Euromicro Conf. on Digital System Design, Izmir, Turkey, September 2012, pp. 648–653.
34. 34)
  - 31. Kerckhof, S., Durvaux, F., Veyrat-Charvillon, N., et al: ‘Compact FPGA implementations of the five SHA-3 finalists’ (Springer, Berlin, Heidelberg, 2011), pp. 217–233.
35. 35)
  - 37. Ahmed, K.E., Farag, M.M.: ‘Hardware/software co-design of a dynamically configurable SHA-3 system-on-chip (SOC)’. IEEE Int. Conf. on Electronics, Circuits, and Systems (ICECS), Cairo, Egypt, December 2015, pp. 617–620.
36. 36)
  - 29. Su, C.-P., Horng, C.-L., Huang, C.-T., et al: ‘A configurable AES processor for enhanced security’. Proc. Asia and South Pacific Design Automation Conf., 2005 (ASP-DAC 2005), Shanghai, China, January 2005, vol. 1, pp. 361–366.
37. 37)
  - 35. Honda, T., Guntur, H., Satoh, A.: ‘FPGA implementation of new standard hash function KECCAK’. IEEE 3rd Global Conf. on Consumer Electronics (GCCE), October 2014, pp. 275–279.
38. 38)
  - 9. Guan, L., Lin, J., Luo, B., et al: ‘Protecting private keys against memory disclosure attacks using hardware transactional memory’. IEEE Symp. on Security and Privacy, May 2015, pp. 3–19.
39. 39)
  - 40. Winderickx, J., Daemen, J., Mentens, N.: ‘Exploring the use of shift register lookup tables for KECCAK implementations on Xilinx FPGAS’. 26th Int. Conf. on Field Programmable Logic and Applications (FPL), Lausanne, Switzerland, August 2016, pp. 1–4.
40. 40)
  - 22. Grand, M., Bossuet, L., Le Gal, B., et al: ‘Design and implementation of a multi-core crypto-processor for software defined radios’. Reconfigurable Computing: Architectures, Tools and Applications – 7th Int. Symp., ARC 2011 Proc., Belfast, UK, March 23–25 2011, pp. 29–40.
41. 41)
  - 42. Wang, H., Bai, G., Chen, H.: ‘A GBPS IPsec SSL security processor design and implementation in an FPGA prototyping platform’, J. Signal Process. Syst., 2010, 58, (3), pp. 311–324.
42. 42)
  - 38. Gaj, K., Homsirikamol, E., Rogawski, M., et al: ‘Comprehensive evaluation of high-speed and medium-speed implementations of five SHA-3 finalists using xilinx and altera FPGAS’, IACR Cryptology ePrint Archive, 2012, pp. 368.
43. 43)
  - 34. Moreira, N., Astarloa, A., Kretzschmar, U., et al: ‘Securing IEEE 1588 messages with message authentication codes based on the keccak cryptographic algorithm implemented in FPGAS’. IEEE 23rd Int. Symp. on Industrial Electronics (ISIE), Istanbul, Turkey, June 2014, pp. 1899–1904.
44. 44)
  - 46. El Maraghy, M., Hesham, S., Abd El Ghany, M.A.: ‘Real-time efficient FPGA implementation of AES algorithm’. IEEE Int. SOC Conf., Erlangen, Germany, September 2013, pp. 203–208.
45. 45)
  - 24. Standaert, F.-X., van Oldeneel tot Oldenzeel, L., Samyde, D., et al: ‘Power analysis of FPGAs: how practical is the attack?’ (Springer, Berlin, Heidelberg, 2003), pp. 701–710.
46. 46)
  - 5. Broadwell, P., Harren, M., Sastry, N.: ‘SCRASH: a system for generating secure crash information’. Proc. 12th Conf. on USENIX Security Symp. (SSYM'03), USENIX Association, Berkeley, CA, USA, 2003, vol. 12, p. 19.
47. 47)
  - 11. 20th USENIX Security Symp., San Francisco, CA, USA, 8–12 August 2011, Proceedings. USENIX Association, 2011.
48. 48)
  - 44. Lu, J., Lockwood, J.: ‘IPsec implementation on Xilinx Virtex-II Pro FPGA and its application’. Proc. 19th IEEE Int. Parallel and Distributed Processing Symp., 2005, Denver, CO, USA, April 2005, p. 158b.

Login

Not registered yet?

Share

Tools

Login to add to favourites

Key

Partitioned security processor architecture on FPGA platform

References

Related content