AEGIS-Based Efficient Solution for Secure Reconfiguration ... · Karim M. Abdellatif, Roselyne...
Transcript of AEGIS-Based Efficient Solution for Secure Reconfiguration ... · Karim M. Abdellatif, Roselyne...
AEGIS-Based Efficient Solution for Secure Reconfiguration of FPGAs
AEGIS-Based Efficient Solution for SecureReconfiguration of FPGAs
Karim M. Abdellatif, Roselyne Chotin-Avot, Habib Mehrez
1 / 24
AEGIS-Based Efficient Solution for Secure Reconfiguration of FPGAs
Motivation
Motivation
Authenticated Encryption (AE) algorithms
Low Cost Solutions for Secure FPGA Reconfiguration
Conclusion and future work2 / 24
AEGIS-Based Efficient Solution for Secure Reconfiguration of FPGAs
Motivation
Encryption and authentication
I First approach
Authentication
Decryption
Key1
Key2
Computed
Match? Y/NMAC
MAC
Message
Receiver
Message
Key1
Encryption
Message
Authentication
Sender
Key2
Insecure Channel
MA
C
Encrypted Message
Encrypted Message
Match?
I Second approach
Encrypted Message
MA
C
AuthenticatedEncryption
Computed MAC
Key1
Y/NMatch?MAC
MessageMessage
Receiver
Message
Sender
AuthenticatedEncryption
Key1
Insecure Channel
Encrypted
2 / 24
AEGIS-Based Efficient Solution for Secure Reconfiguration of FPGAs
Motivation
Advantages and applications of the second approach
I One can expect that this is more efficient since encryption andauthentication can share a part of the computation.
I AE algorithms use only one key for encryption andauthentication. Therefore, the key exchange and storageissues are better compared to using two separated algorithms.
AE has been used in many widely standards such as:Secure Sockets Layer / Transport Layer Security (SSL/TLS) [7],IPsec [7], and IEEE 802.11 (Wi-Fi) [10].
3 / 24
AEGIS-Based Efficient Solution for Secure Reconfiguration of FPGAs
Motivation
FPGAs
I They offer the capability to develop the most suitable circuitarchitecture of the application in a similar way to SoC systems.
I They are cost efficient, easier to manage, can immediately beput into operation and, they can continuously bereprogrammed during and after the design.
000010011100110101101001
Application
User Logic
SRA
M M
emor
y C
ellsStatic Part
FPGA
Bitstream
4 / 24
AEGIS-Based Efficient Solution for Secure Reconfiguration of FPGAs
Motivation
Reconfiguration FPGAs
Application
User Logic
SRA
M M
emor
y C
ellsStatic Part
FPGA
Bitstream
Non Volatile Memory (NVM)
IPs loaded on the FPGAs represent a kind of investment thatrequires protection.
5 / 24
AEGIS-Based Efficient Solution for Secure Reconfiguration of FPGAs
Authenticated Encryption (AE) algorithms
Motivation
Authenticated Encryption (AE) algorithms
Low Cost Solutions for Secure FPGA Reconfiguration
Conclusion and future work
6 / 24
AEGIS-Based Efficient Solution for Secure Reconfiguration of FPGAs
Authenticated Encryption (AE) algorithms
Counter with Cipher Block Chaining-MessageAuthentication Code(CCM)
CCM has been specified in:
I IEEE 802.11i
I IEEE 802.15
I IEEE 802.16
I Disadvantages:It is not suitable for on lineapplications as all datamust be stored in memorybefore CCM processing.
+ +
S[i]
P[i]
C[i]
S[0]
Y
MAC
AES
S[L]
AES
KeyCTR[0]
S[0]
AES
KeyCTR[1]
S[1]
AES
KeyCTR[2]
S[2]
CTR[n] Key
AES
+ + +
AES AES AES
Key Key Key Key
Y
CBC mode
N
A p[L]
CTR mode
p[1]
7 / 24
AEGIS-Based Efficient Solution for Secure Reconfiguration of FPGAs
Authenticated Encryption (AE) algorithms
Galois Counter Mode (GCM)
It presets high intrinsic degreeof pipelining and parallelism.
I wireless, optical, andmagnetic recordingsystems.
I high intrinsic degree ofpipelining and parallelism.
I IEEE 802.1ae and NIST800-38D.
AES
Key
AESAES AES AES
+ + +
+ ++
+
GF(2128 )Multiplier
GF(2128 )Multiplier
GF(2128 )Multiplier
GF(2128 )Multiplier
GF(2128
) GF(2128
) GF(2128
) GF(2128
)
"00..00" CTR[2]CTR[1]CTR[0] Key Key Key Key
H
H H H HA
P[1] P[2]
C[1] C[2]
MAC
Encryption using CTR mode
Authentication using GF multiplier
C[L]
P[L]
CTR[L]
Multiplier Multiplier Multiplier Multiplier
8 / 24
AEGIS-Based Efficient Solution for Secure Reconfiguration of FPGAs
Authenticated Encryption (AE) algorithms
Competition for Authenticated Encryption: Security,Applicability, and Robustness (CAESAR)
I CAESAR competition is a move towards selecting a portfolioof AE schemes that should improve upon the state of the art.
I There are some AE schemes have been proposed, and moreare expected to join the ranks with the ongoing CAESAR.
I we present an overview on AEGIS [36] which is considered oneof the candidates to CAESAR.
9 / 24
AEGIS-Based Efficient Solution for Secure Reconfiguration of FPGAs
Authenticated Encryption (AE) algorithms
AEGIS-128
+
+ + + ++
S S S S S
S S S S S
i,0 i,1 i,2 i,3 i,4
i+1,0 i+1,1 i+1,2 i+1,3 i+1,4
ww
SubBytes
Shift Rows
SubBytes
Shift Rows
SubBytes
Shift Rows
SubBytes SubBytes
Shift Rows Shift Rows
MixColumnsMixColumnsMixColumnsMixColumns MixColumns
m i
Si+1,0 = AESRound(Si ,4, Si ,0 ⊕mi )Si+1,1 = AESRound(Si ,0, Si ,1)Si+1,2 = AESRound(Si ,1, Si ,2)Si+1,3 = AESRound(Si ,2, Si ,3)Si+1,4 = AESRound(Si ,3, Si ,4).
(1)
10 / 24
AEGIS-Based Efficient Solution for Secure Reconfiguration of FPGAs
Authenticated Encryption (AE) algorithms
Initialization of AEGIS
1. Load the key and IV into the state as follows:S−10,0 = IV128
S−10,1 = Const1S−10,2 = Const0S−10,3 = K128 ⊕ Const0S−10,4 = K128 ⊕ Const1.
2. For i = -5 to -1, m2i = K128, m2i+1 = K128 ⊕ IV128.
3. For i = -10 to -1, Si+1 = StateUpdate128(Si ,mi ).
11 / 24
AEGIS-Based Efficient Solution for Secure Reconfiguration of FPGAs
Authenticated Encryption (AE) algorithms
Encryption of AEGIS
1. If the last plaintext block is not a full block, use 0 bits to padit to 128 bits.
2. For i = 0 to (msglen128 − 1), the state is updated to perform
encryption.
Ci = Pi ⊕ Si ,1 ⊕ Si ,4 ⊕ (Si ,2&Si ,3)Si+1 = StateUpdate128(Si ,Pi ).
(2)
12 / 24
AEGIS-Based Efficient Solution for Secure Reconfiguration of FPGAs
Authenticated Encryption (AE) algorithms
Authentication of AEGIS
1. Let tmp = lenA‖msglen, where lenA and msglen arerepresented as 64-bit integers
2. For i= (msglen128 ) to (msglen
128 + 6), mi = Smsglen128
,3⊕ tmp
3. For i= (msglen128 ) to (msglen
128 + 6), the state is updated:Si+1 = StateUpdate128(Si ,Pi )
4. The authentication MAC is generated from the statemsglen
128 + 7 as follows:
MAC = ⊕4i=0(S
(msglen128
+7),i). (3)
13 / 24
AEGIS-Based Efficient Solution for Secure Reconfiguration of FPGAs
Low Cost Solutions for Secure FPGA Reconfiguration
Motivation
Authenticated Encryption (AE) algorithms
Low Cost Solutions for Secure FPGA Reconfiguration
Conclusion and future work
14 / 24
AEGIS-Based Efficient Solution for Secure Reconfiguration of FPGAs
Low Cost Solutions for Secure FPGA Reconfiguration
Remote reconfiguration
Application
FPGA
User LogicSR
AM
Mem
ory
Cel
lsStatic Part
Public Network
Bitstream
Bitstream
Development
Location
Bitstream
Non Volatile Memory (NVM)
15 / 24
AEGIS-Based Efficient Solution for Secure Reconfiguration of FPGAs
Low Cost Solutions for Secure FPGA Reconfiguration
Previous Solutions
Example: Virtex-4 and Virtex-5:
User Logic
SRA
M M
emor
y C
ells
Static Part
FPGA
AES Application
KEncrypted Bitstream
Non Volatile
Memory (NVM)
Bitstream
KAES
Encrypted Bitstream
16 / 24
AEGIS-Based Efficient Solution for Secure Reconfiguration of FPGAs
Low Cost Solutions for Secure FPGA Reconfiguration
Previous Solutions
Example: Virtex-6
User Logic
SRA
M M
emor
y C
ells
Static Part
FPGA
Application
AES
k2K1
Match?
bitstream
MAC
Encrypted
Y/N
HMAC
Developer
Bitstream
HMACAES
Encrypted Bitstream
MA
C
k2K1
Encrypted Bitstream
MA
C
Memory (NVM)Non Volatile
17 / 24
AEGIS-Based Efficient Solution for Secure Reconfiguration of FPGAs
Low Cost Solutions for Secure FPGA Reconfiguration
Our goal
User Logic
SRA
M M
emor
y C
ells
Static Part
Match?
Low Cost AE
Y/NFPGA
Encrypted Bitstream
MAC
ComputedMAC
Key
Application
Encrypted Bitstream
MA
C
Non Volatile
Memory (NVM)
Bitstream
KeyAE
MA
C
Dev
elop
er
Encrypted Bitstream
18 / 24
AEGIS-Based Efficient Solution for Secure Reconfiguration of FPGAs
Low Cost Solutions for Secure FPGA Reconfiguration
Proposed AEGIS-128
0 1 2 3 4 5 6 7 8 9 10 11 12 1413 150 1 2 3 4 5 6 7 8 9 10 11 12 1413 15
Mix C
olumns
SSSSS SSSSSSSSSSS SSSSS SSSSSSSSSSS
0 1 2 3 4 5 6 7 8 9 10 11 12 1413 150 1 2 3 4 5 6 7 8 9 10 11 12 1413 15
S
S
S
Sclck
To key adding stage
8−bit datapath
32−bit datapath
SubBytes
To key adding stage
(a)
(b)
Input (128−bits) Input (128−bits)
Mix Columns Mix Columns Mix Columns Mix ColumnsMix Columns Mix Columns Mix Columns Mix Columns
ShiftRows ShiftRows
19 / 24
AEGIS-Based Efficient Solution for Secure Reconfiguration of FPGAs
Low Cost Solutions for Secure FPGA Reconfiguration
Proposed AEGIS-128
x 4
x 3
x 2
x1
x0 +
+
+
+
+
S i,1
S i,3
S i,4
Si,0
Si,2
Si,0
S i,1
Si,2
S i,3
S i,4
S i+1,0
i+1,4S
S i+1,3
S i+1,2
S i+1,1
+
+
+msglen128
,3S
128
1/4 AES Round
S init,0
S
S
S
S
init,1
init,2
init,3
init,4
2im
2im +1
Tag
128
128
128
128
128
128
128
128
128
128
M1
M2
M3
M4
M5
M6
M7
M8
M9
M10
tmp
m iCiphertext (C)
Plaintext (P)
Plaintext (P)
20 / 24
AEGIS-Based Efficient Solution for Secure Reconfiguration of FPGAs
Low Cost Solutions for Secure FPGA Reconfiguration
Hardware comparison
21 / 24
AEGIS-Based Efficient Solution for Secure Reconfiguration of FPGAs
Conclusion and future work
Motivation
Authenticated Encryption (AE) algorithms
Low Cost Solutions for Secure FPGA Reconfiguration
Conclusion and future work
22 / 24
AEGIS-Based Efficient Solution for Secure Reconfiguration of FPGAs
Conclusion and future work
Conclusion
I Giving an overview of security issues used in thereconfiguration of FPGAs.
I Analyzing how well encryption and authentication are veryimportant for trusted designs on FPGAs.
I Proposing an efficient hardware solution using AEGIS, whichis added in the static part of the FPGA (silicon part) in orderto decrypt and authenticate encrypted bitstream.
23 / 24
AEGIS-Based Efficient Solution for Secure Reconfiguration of FPGAs
Conclusion and future work
24 / 24