Implement FPGA identity identification and anti-copy with secure memory

Implement FPGA identity identification and anti-copy with secure memory

Http://hi.baidu.com/snail_space/blog/item/fc13fe1ee5e166f3e1fe0ba9.html

Question proposal

Develop electronic products, including embedded FPGA ConfigurationCodeThe cost is quite high. Therefore, unauthorized organizations should be prevented from copying these designs and configurations to protect the intellectual property rights of designers. There are many ways to implement this protection function. High-end FPGAs such as Xilinx Virtex-II and Virtex-4 support encrypted configuration of data streams. In this way, these data streams can work only when FPGA contains the same key. However, this encryption method is not suitable for a wider range of cost-sensitive applications. Therefore, another feasible identification method is used to prevent accidental copying. This method applies to all FPGA families.

Design Philosophy

In the concept of identity recognition, FPGA designers are required to implement the function of communicating with a secure memory for authentication. Figure 1 is a simplified schematic to achieve this design, that is, a simplified block diagram that uses the ds2432 1-wire memory to provide security control and protection for FPGA.

The secure storage chip must meet the following requirements: it includes a key used for internal chip operation, which is invisible to the outside world and contains a unique unchangeable identification number. You can use this identification number to calculate a device-bound key. It can perform hash operations including the key, random number (used as the inquiry mechanism), unique identification number, and additional data (constant.

To meet the security requirements of the application, the hashAlgorithmIt should be met: Irreversible, that is, it is not feasible to calculate the input data from a hash result. It is not "Collision ", it is not feasible to use another set of input data to generate the same hash result. It has a very high avalanche effect, that is, any change in the input data will greatly affect the hash calculation result.

The SHA-1 algorithm is a fully and widely verified one-way hash algorithm that can meet the preceding requirements. The main features of the SHA-1 algorithm are: irreversible-from the computing point of view, it is impossible to push input information from Mac or calculate the corresponding input according to the SHA-1 output; in fact, more than one input cannot be found to generate the same given output. The high avalanche effect means that any input change will cause a huge change in MAC results; after careful review and demonstration, SHA-1 has been developed to be adopted by ISO/IEC 10118.

Applying ds2432 secure storage is an ideal solution

The security storage ds2432 with built-in SHA-1 algorithm. The SHA-1 memory provides a low-cost and efficient solution for attachment/peripheral identification and anti-tampering and memory authentication applications. The ds2432 or DS28E01-100 is a secure memory built into the SHA-1 algorithm. The single-bus interfaces of these devices are ideal for such applications because they only need one FPGA pin to implement these features. This mainly depends on its functional features.

Ds2432 integrates 1024-bit EEPROM, 64-bit key, and 512-bit SHA-1 engine in a single chip, providing a secure advanced authentication solution at a very low cost. When you modify the ds2432 data, the 1-wire host must successfully calculate and send the 160-bit SHA-1 Information Authentication Code (MAC), which requires you to know the ds2432 Data Structure in advance, this includes a non-leaked 64-bit password. Ds2432 also provides a READ memory command, which can be automatically calculated on a 1-wire host and provides a 160-bit Mac. Note that this process uses an unleaked password, which provides an effective solution for host identification of ds2432-based accessories or peripherals. In addition, the device provides permanent write protection and otp eprom mode. Each ds2432 has its own 64-bit Rom registration code engraved by the factory, providing a unique ID for the product or system it embeds. This unique 64-bit code is also one of the components of SHA-1. Ds2432 communication and operation are implemented through the 1-wire interface of single point connection, and can be read and written within the wide pressure range of-40 °C to + 85c °, 2.8v to 5.25v. Figure 2 shows the composition of ds2432 and the external μC.

Ds2432 SHA-1 secure storage data unit and data stream path

The ds2432 1-wire interface, the main data unit of the 1kb SHA-1 secure storage, and the data stream Path 3 are shown. You can see the buffer memory of the 8-byte key and the temporary storage question code ). Data Units not mentioned earlier include a unique device ID (Standard 1-wire feature), four user EEPROM pages, control registers, and system constants. The device ID is used as the Node Address in the 1-wire network and also for authentication. User memory stores the main part of the "information" to be authenticated. The system constant helps to meet the format requirements and complete the filling function, thus forming a 64-byte data block calculated by SHA-1. Control registers are used to perform specific device functions, such as optional key write protection or EEPROM simulation modes. Control registers are generally not used in the authentication process.

Information Identification Code

The security of the ds2432 SHA-1 memory depends on the Information Authentication Code (MAC) In bidirectional data communication ). To calculate a Mac, you only need to enter a public string (consisting of the memory content, unique serial number of the device, and random question code), and combine it with the password to perform the SHA-1 operation. And a secret key used as the SHA-1 algorithm to input information. The computed Digest (or hash) is called Mac. Transmitting Mac together with information provides a secure way to verify that you know the key and that data is not tampered with during transmission. During reading, the SHA-1 memory file responds to the Mac and verifies that it is authentic and trustworthy, and the host receives data correctly. During the write operation, the host provides a Mac to verify that it has the right to modify the device's storage content and the device correctly receives the new storage content. FPGA needs to implement the following functions to take advantage of the security features of these devices: To generate random numbers; to know a key used for internal computation of the chip, and the key is invisible to the outside world; the same as the security memory, the hash calculation results include keys, random numbers, additional data, and device identification numbers.

A successful attack to Mac-based security system algorithms is to find the key. For most existing SHA-1 memory devices, the key length is 64-bit and can only be written (new and longer key length devices will be introduced soon ). The attacker sends a question code to the device, reads the MAC code generated by the device, and then executes a exhaustive search for all 64-digit digits until a matched MAC code is found. This process requires a 64-power SHA-1 operation. A 64-CPU cray X1 supercomputer takes more than 10 years to compute.

Finding a source of information that matches a given abstract requires a 160-power operation of 2 (far greater than the 264 operation required to identify the key ). Because the length of the input information is fixed to 512 bits, and 448 bits are known public data, the most direct way is to find the correct value (that is, the key) of the remaining 64 bits ). As long as the original information generated by the abstract cannot be reversed from a given abstract, there is no attack method that is more successful than searching the key using the exhaustive method.

Note: although the 64-power operation of 2 to find the secret key is less complex than the 69-power operation of 2 to find a collision of information, however, the two attack methods are not comparable. If the researchers find a SHA-1 collision found in the 50th power operation of 2, but the key still needs to be found through the 64-power SHA-1 operation of 2. Therefore, although this new attack finds a new method of collision between any two inputs, it cannot be used to find a collision for a definite input, this is because you need to carefully select the input information.

From this analysis, we can see that the defined SHA-1 algorithm has two security aspects: Anti-collision and irreversible. The practicality of these devices depends on the robustness and security of the security hashing algorithm.
The above requirements for FPGA functions require FPGA to have the performance of the microcontroller, such as picoblze, which is dedicated to Spartan-3, Virtex-II, Virtex-II pro, free macros for Virtex-4 FPGA and coolrunner-ii cpld. Picoblaze uses 192 logical units, which is only 5% of the Spartan-3 xc3s200 device.

Implementation of FPGA identity recognition and anti-Copy Technology

When the device is powered on, FPGA reads data from the flash prom and configures itself. After the configuration is complete, the FPGA microprocessor function is started and certified. The Authentication includes the following steps: generate a random number and send it to the security memory as a question mechanism (Q; sends a command to the security memory to require it to calculate a hash result based on the key, inquiry mechanism, unique identification number and fixed additional data; FPGA itself computes an expected hash result (e) based on its own storage key, identical data sent to the security memory, and fixed additional data ); read the hash result calculated by the security storage device as the response (A) and compare it with the expected hash result (e.

If a matches E, the microcontroller considers the circuit as a "friend" because it has the correct key. In this case, the FPGA is working properly and all functions in its configuration data are enabled/executed. If A and E do not match, the circuit is considered an "enemy" circuit. In this case, FPGA is not running properly and only performs limited functions. Figure 4 illustrates the implementation process of FPGA's identity recognition and anti-Copy technology.

Security Analysis of FPGA identity recognition and anti-Copy Technology

For each manufacturing unit, the designer (OEM) must provide a correctly pre-programmed ds2432 for one party (manufacturer or cm) that manufactures an embedded FPGA product. This one-to-one relationship limits the number of authorized products that cm can manufacture. To prevent cm tampering to secure memory (or cm may apply for more memory because the memory is not properly programmed), we recommend that you write the key for protection. Even if you do not implement write protection, you do not have to worry about the data security in the single-bus EEPROM. The design ensures that the data in the memory can be changed only when the key is known. Therefore, a useful additional feature is generated. Designers can use this feature to implement soft feature control: FPGA can enable/disable corresponding functions in FPGA Based on the Data read from memory protected by SHA-1.

It is inconvenient or infeasible for OEMs to program such devices before they are distributed to CM. To better solve this problem, dallas semiconductor provides SHA-1 key and EEPROM array pre-programming services for OEM customers. In this service, the Dallas semiconductor factory registers and configures such devices as required by the customer, and then directly delivers the devices to the CM. This type of service has the following advantages: OEMs do not need to leak SHA-1 keys to cm; OEMs do not need to perform system pre-programming; only third parties authorized by OEM can access registered devices; dallas semiconductors keep the number of sending unit records for OEM audit.

In addition to the security features of SHA-1, the security features of the above-mentioned identity authentication depend on the key, which cannot be read from the security memory or FPGA. Furthermore, this key cannot be detected by eavesdropping on its data stream configuration when FPGA is configured. Like starting with an executable code, you can try to crack a Windows application.ProgramC ++Source codeSimilarly, it is a very difficult task to judge the system design through reverse engineering of data streams (which will attempt to skip the authentication process.

Another critical security factor is the random question mechanism Q. A predictable query mechanism (such as a constant) triggers a predictable response because the result can be recorded and then replaced by a microcontroller. In this predictable situation, the microcontroller can make FPGA think of it as a "friend" circuit. The random query mechanism eliminates this possibility.

If you bind a unique key to each device, you can further increase the security level. The unique key is calculated by the Public Key (CMK), the unique identification number of the device, and the constant specified by the application. Under such conditions, if a key is cracked, only one device is affected, so as not to compromise the security of the entire system. To implement this function, FPGA needs to know the master key and calculate the key used by the memory before calculating the expected response (e.

Conclusion

This article describes how to use the secure storage ds2432 to complete the identity recognition function to implement protection for FPGA design. While implementing the Identity Recognition Feature, you can also implement software function management and circuit board recognition.

The concept of identity recognition (IFF) can protect intellectual property rights from illegal cloning. This only requires adding a low-cost chip and updating FPGA configuration code. Secure storage chips and their online programmability allow designers to remotely modify configurations to manage software functions without sending technicians to the site. Security buckets that are not applied to software function management can be applied to the circuit board identity.