asics & fpgas security - on semiconductor · 24 june 2008 components in electronics asics &...

24 June 2008 Components in Electronics www.cieonline.co.uk

ASICs & FPGAs

extract the previously stored key code.Ensuring that all of the information in a non-

volatile memory has been completely erasedrequires multiple writes of all ‘0’s, all ‘1’s, or acheckerboard pattern, a process that typicallyrequires at least 20 clock cycles. The anti-tamperingsystem must therefore at all times retain sufficientpower to drive the anti-tamper logic and enable theerasure process. Such a system can be designed withcomponents as simple as a large capacitor to storepower, but this power supply itself requiresprotection against tampering. Moreover, it is notbeyond the realms of possibility that 20 clock cyclesmay not be immediate enough for clearing thememory to defeat sophisticated tamper techniques.

Clearing all tracesErasing CDs or DVDs also has its own unique set ofconcerns. The CD or DVD can be destroyed withacids or fire, but for all practical purposes thisrequires the system operator to anticipate the threatof tampering and act accordingly. Electrical erasureis possible with some formats, but is timeconsuming, and, as with non-volatile memory,must ensure that no residual data is left on themedia.

To solve these problems, several FPGA suppliershave offered encrypted configuration file memorysolutions. These provide the benefit of not requiringa battery back up and power management circuitry,since they store the key in non-volatile memorywithin the FPGA, which provides some inherentbarriers to reverse engineering. However, the keycode remains in non-volatile storage and, althoughthe reverse engineering and/or obfuscation barriersare somewhat increased, they are notinsurmountable with sufficient resources.

Because of the challenges of non-volatile storage,volatile memory is most commonly the solution ofchoice in applications that require truly robustsecurity. Anti-tamper logic clears the memory if thesystem is tampered with, and a battery is includedto ensure data retention when the system is shutdown. Power management circuitry is required toswitch between system-powered and battery-powered states, and minimise battery drain.

The pros & consSuch a solution has its own inherent drawbacks. Aclock may be required to refresh the memory,whether the system is powered-up or on batterystandby, increasing the drain on the battery. Moreseriously, recent studies have shown that data

Today’s electronic systems – both militaryand civil – are equipped with an ever-increasing raft of security measures.Theseincorporate not just secure hardware, but

also require the use of a rapidly-evolving set ofcomplex encryption algorithms.

And yet, all of these features can be rendereduseless if an unauthorised individual (ororganisation) gains access to the system’s securitykey codes. The choice of storage medium for suchkeys, and of techniques for protecting them, istherefore a critical decision in ensuring the overallsecurity of the system.

System securityA typical secure communications processing systemhas at its core a complex encryption/ decryptionengine implemented either via custom logic (anASIC or FPGA), or with a more general-purposemicroprocessor and custom software defining theencryption algorithm. In most cases, the secure keycode is stored in a separate memory chip off-chipfrom the encryption engine that is powered by abattery, an approach that ensures that the keys areconstantly accessible when system power is on, andyet are retained or backed up for long periods whenthe system power is shut down.

The need to keep the keys off-chip, however,increases the difficulty of securing them againsttampering. Most secure encryption systems willinclude anti-tampering logic that will immediatelyclear the keys if system tampering has beendetected. Such anti-tampering countermeasures aretypically implemented with a layered approach,overlapping and integrating a mix of mechanicaland electrical techniques.

Integral to devising an effective security system isthe choice of storage medium itself. The mostobvious choice is to use non-volatile memory suchas flash, EEPROM, or permanent storage media suchas CDs or DVDs. These systems are inherently ableto retain data when system power is shut down, andcan be protected with circuitry that erases the keysin the event of tampering.

However, such a system must be exceptionallywell designed to resist a determined attack. In the case of flash memory or EEPROM, it mightappear that it would be adequate to include logic to assert a “clear” signal to reset individual logic bits to logic ‘0’. However, the individualmemory bits will always retain some amount of charge from their previous state, allowingreverse-engineering techniques to be used to

Ramping security protocols are a necessary measure to safeguard againstintruders. Dave Locke looks at an encryption option in defence

stored in DRAM may not be instantaneously lostwhen power is removed. Research reported byPrinceton University Centre for InformationTechnology Policy has demonstrated that such datamay be retained for seconds or even minutes afterpower-down. This is true even when the memoriesare removed from their motherboards, allowingalgorithms to be used to read back sensitive data.

The ideal solution to this design problemcombines a number of features. The system must beable to detect tampering and trigger an erase of thesecure key code memory; the memory should beerased as quickly and completely as possible toprevent reconstruction of its contents; and yet thebattery lifetime must be long enough to retain thekeys throughout power-down, potentially over aperiod of years.

Of the solutions we have already examined,volatile memories best meet these requirements.They can be erased with a direct action clear signalwithout the need to generate any clock signals. Anactive-low clear signal can be used to work withelectro-mechanical designs that tie the clear signalto system ground when a tampering event occurs.The use of battery power coupled with a low powermemory and power management circuitry canretain codes stored in volatile memory for longperiods of time without system power applied.

To operate successfully they require powermanagement circuitry, creating a new hybrid powerdomain. Whilst it can also be used to power someor all of the anti-tampering logic, it is because ofthis additional power domain that system designerscannot integrate the secure key code memory andany of the anti-tamper logic into theencryption/decryption engine – whether it isimplemented as a microprocessor, ASIC or FPGA. Asa result, the system implementation of the volatilememory requires multiple components on thesystem board.

Moreover, for each component on the systemboard that stores, reads or writes the secure keycode, there is a corresponding increase insusceptibility to a tampering event that could revealthe key itself. In addition, the system operationalreliability decreases and manufacturing costsincrease with each additional component mountedon the system board.

These problems can be solved by the use of anASIC, FPGA or microprocessor platform thatincludes an on-chip encryption/decryption engineand supports volatile memory powered by aseparate power domain. Key characteristics of suchan integrated device include no external access tothe secure key code memory other than the clearsignal, built in power management, a separatepower domain for the secure key code memory andconfigurable anti-tamper logic.

In practiceIntegrating these functions into a single productoptimises system security while improving systemreliability and decreasing manufacturing costs.Potential solutions would integrate an encryptionengine such as ON Semiconductor’s XPressArray-IIstructured ASIC platform with the secure memoryand power management circuits to realise anoptimum solution. This kind of development istechnically feasible with mature silicon technologies,and requires only the commitment of a supplier tothe secure military communications market.ON Semiconductor ❘ www.onsemi.comDave Locke is Mil/Aero Product Manager at ONSemiconductor

SecurityCIRKEYTRY

CIE_June08_p24:new 3/6/08 17:01 Page 24