Modernizing FPGA Bitstream Authentication



Brief History of FPGA Bitstream Authentication

Stratic Random Access Memory (SRAM) based FPGAs now have almost twenty years of history in the design of embedded and, recently, standard compute platforms. They provide some of the parallelism and hardware acceleration benefits of fixed-function ASIC accelerators, but also some of the advantages of programmable processors in that the same chip can be programmed and reprogrammed to perform many functions.

For corporations investing the time, effort, and know-how into designing FPGAs for their embedded systems, the FPGA design itself increasingly became highly valuable corporate intellectual property requiring protection. So security features were developed by the handful of major FPGA vendors – primary among them being encryption of the FPGA bitfile, protected by a secret key. A history of some of these features can be found in an IEEE survey of security published in 2014.

Although protecting the FPGA bitstream from loss or theft was achieved, encryption and a handful of other features supporting it did not protect the FPGA bitstream from random or deliberate manipulation or malicious replacement in a system. So Saar Drimer (arguably first) and others proposed or discussed the addition of authentication capabilities to sensitive bitstreams. External solutions were either discussed or offered by companies like Maxim and Infineon.

FPGA vendors then made authentication solutions available in the form of symmetric key hash message authentication codes (HMACs) in the bitstream, authenticating modes of the Advanced Encryption Standard (AES-GCM), then eventually full bitstream signature-based authentication.

What HMAC Does and Does Not Do

Combining encryption and HMACs in a bitstream have been a standard practice in FPGA security for some time. If they are implemented in the same process (such as the Galois Counter Mode, AES-GCM) then they likely use a single key for encryption and authentication. If they are separate processes, then it is possible to use two separate keys, although that then creates the need to identify, store, and protect two different keys.

When using HMAC for authentication and sharing a key for encryption, a compromised key now allows for both loss of IP as well as malicious exploitation of the system. In addition, symmetric key hashes do not provide a newer security parameter that is addressed in asymmetric key digital signatures: non-repudiation. This is essentially a thread of traceability as to where a compromised bitstream may come from.

When layering encryption and HMACs together in a bitstream, it is also important to specify the order of operation in the FPGA configuration process. Decrypting prior to authentication can generate side channel information from the encryption process, allowing for other key compromise attacks.

Finally, although initially praised as a ‘dual purpose’ encryption mode, AES-GCM has seen a large number of published vulnerabilities and OpenSSL support security patches over the years that have lowered the overall confidence in its robustness.

Experiments in Authenticating Entire Bitstream

Some of the difficulties in using asymmetric keys and digitally signing an entire FPGA bitstream were identified in Drimer’s original paper on FPGA bitstream authentication. This is the issue of the size of the bitstreams (getting larger every generation of FPGAs) and inability to buffer all of that data in the FPGA while the signature is being verified. The one bitstream digital signature solution in the FPGA market today exhibits this limitation and incurs that cost on the user: authentication can triple the authentication time of the FPGA.

Introducing ‘Hash Chaining’

One technology with a rising profile in digital security is the ‘block chain’. Block chain security takes advantage of the idea of creating hashes of one block of data with the hash of the last block of data, and carrying this forward such that the accuracy of each hash blocks depends on no tampering with any of the prior blocks.

Although this concept in cryptocurrencies is applied more to ‘transactions in time’ rather than successive data blocks, the utility of ‘hash chaining’ is useful in solving the problem of FPGA bitstream authentication. Blocks similar to the HMACs are still used, but the new ‘hash digests’ will include the hash of current data, as well as the hash of the previous block’s hash digest. This creates a chain of hash dependencies that ensures any tampering or errors anywhere in the authentication process are detected in successive stages.

One of the limitations of block chain technology is the raw computing power necessary to add to the block if the system is open-ended. This needn’t be a limitation when the process is limited to a single bitstream authenticated in real-time as part of configuration.

Entire Authentication Process for New Intel FPGAs

The newest generation of Intel FPGAs take advantage of this hash chain in two distinct ways. The first is providing all of the data integrity advantages of the HMAC process for bitstream authentication with the potential of separate keying from encryption (both encryption and authentication will use multiple keys). The second advantage is to provide a single hash chained bitstream header to provide as the data to be digitally assigned using an asymmetric authentication method (elliptic curve digital signature, ECDSA). In this way, the entire bitstream is not digitally signed, but the chained hash digest of the entire bitstream is signed instead. This significantly reduces the computational difficulty of verifying the digital signature and drastically reduces the impact on FPGA configuration latency.

In the diagram above, the security enclave of the FPGA (Secure Device Manager, SDM) loads its firmware first which is digitally signed by Intel and optionally by the user, and the user bitstream’s header, including the chained hash digest of the entire bitstream, is signed by the user.

Conclusion

Security solutions, as always, are necessarily incomplete as measured by the moving target of malicious intents and capabilities. FPGA bitstream authentication has evolved and appeared in partial capabilities and limited advances with each new FPGA family. With this latest generational release, hash-based and digital signature solutions are combined for the first time and borrow from commercial block chain concepts to build the next bridge to securing critical FPGA-based intellectual property.

References

  1. FPGA Security: Motivations, Features, and Applications. Trimberger, Steve. Proceedings of the IEEE. 8 July, 2014.
  2. Authentication of FPGA Bitstreams: How and Why, Drimer, Saar. University of Cambridge. 2007.

 

Share and Enjoy:
  • Digg
  • Sphinn
  • del.icio.us
  • Facebook
  • Mixx
  • Google
  • TwitThis

Tags:

Extension Media websites place cookies on your device to give you the best user experience. By using our websites, you agree to placement of these cookies and to our Privacy Policy. Please click here to accept.