Over the past two decades, the field-programmable gate array (FPGA) has transitioned from a prototyping tool to a flexible production solution in both consumer and industrial applications. With FPGA logic complexity increasing from a few thousand gates to millions of gates, the devices are able to hold more of the key functions (intellectual property) of a system.
Today, designers can select FPGAs that employ various technologies to hold the configuration data—one-time programmable antifuses, reprogrammable flash-based storage cells, and reprogrammable SRAM-based configurable logic cells. Both antifuse- and flash-based solutions provide relatively secure solutions, since the configuration data is stored on the FPGA chip and there are mechanisms that prevent the stored data from being read out. And, unless very sophisticated schemes such as depacking, microprobing, voltage contrast electron-beam microscopy, and focusedion- beam (FIB) probing are used to pry into the silicon and to disable security mechanisms,1 it’s very unlikely that the data will be compromised. (For a short backgrounder on FPGAs, see “Technology Options And Issues For FPGAs,” p. 52.)
Static-RAM-based (SRAM) FPGAs, however, have fewer safeguards to protect that IP (the configuration data) against illegal copying and theft. The reason is that once the data is loaded, it’s held in SRAM memory cells. Such cells can easily be probed to determine their contents. In addition, without some type of security mechanism to protect the configuration data before it’s loaded into the chip, that data is open to snooping. That’s because the bit stream is usually stored in a separate memory chip read by the FPGA upon power-up to load its configuration pattern. There are, though, some simple ways to secure that data to prevent someone from copying the configuration pattern (stealing the IP).
THE WEAK POINT OF SRAM-BASED FPGAS
Due to the two-chip solution—FPGA and configuration memory—the configuration data bit stream is exposed to eavesdropping during the power-up phase. Since the FPGA can’t tell whether the bit stream is “genuine” or an illegally obtained copy, the intellectual property contained in the configuration data is totally unprotected. This wellknown issue has been partially addressed by means of security keys and bit-stream encryption. However, it’s only used for high-end FPGAs, which aren’t suited for consumer application due to their high cost.
WITHOUT PROTECTION
Particularly vulnerable to design piracy are applications that use SRAM-based FPGAs without bit-stream encryption. The configuration bit stream can be captured, reprogrammed into configuration PROMs, or simply replayed to make clones of the original design. Cloned products then compete with the original product, stealing the research and development investment as well as reducing the market share and profitability of the original manufacturer.
Even without encryption, antifuse- or flash-based FPGAs are more secure than SRAM-based FPGAs because the configuration data isn’t exposed to eavesdropping. But an assembly house, if set up to program the FPGAs, can program more units than authorized and sell them on its own without incurring any development costs. Such unauthorized devices are indistinguishable from the authorized devices and can significantly impact a company’s profitability.
One way to make the SRAM-based FPGAs a little more secure is to leverage multichip packaging and mount the nonvolatile memory inside a package along with the FPGA. Yet if someone opens the package, the data interface between the memory and the FPGA is exposed and the configuration pattern can be compromised.
The structure of the configuration bit stream (i.e., the sequence of data elements and how they’re coded and identified) is largely undocumented. The obscurity, complexity, and size of the bit stream make the reverse-engineering process difficult and time-consuming, though theoretically possible.1 If successful, even partial reverse engineering of the configuration stream makes it possible to hack a set-top box to steal services or tamper with power-train settings in a vehicle, causing liability problems for the original manufacturer.
THE CHALLENGE…
To prevent system costs from exploding, designers must keep using SRAM-based FPGAs without encryption. However, they have to find a way to protect the intellectual property from piracy. Furthermore, the added cost for the security measures must be as low as possible and the impact on the production flow must be minimal.
It’s crucial that the security-related hardware fit into the available space on the circuit board, but not increase the overall power consumption. Also, the impact of security on the FPGA’s resources (number of pins and logic elements) must be as low as possible.
… AND THE RESPONSE: AUTHENTICATION
The objective of the authentication process is to establish proof of identity between two or more entities. Key-based authentication takes a secret key and the to-be-authenticated data (“message”) as input to compute a message authentication code (MAC). The MAC is then attached to the message. The recipient of the message performs the same computation and compares its version of the MAC to the one received with the message. If both MACs match, the message is authentic.
A weakness with this basic model, though, is that an intercepted message can later be replayed by a non-authentic sender and be mistaken as authentic. The chance of a simple “replay attack” to succeed is resolved if the MAC computation incorporates a random challenge chosen by the MAC recipient. Figure 1 illustrates the general concept. The longer the challenge, the more difficult it is to record all possible responses for a potential replay.
To prove the authenticity of the MAC originator, the MAC recipient generates a random number and sends it as a challenge to the originator. The MAC originator must then compute a new MAC based on the secret key, the message, and the challenge and send the computed result back to the recipient. If the originator proves capable of generating a valid MAC for any challenge, it’s very certain that it knows the secret and therefore can be considered authentic. The technical term for this process is challenge-and-response authentication (Fig. 1).
Numerous algorithms are used to compute MACs, such as Gost-Hash, HAS-160, HAVAL, MDC-2, MD2, MD4, MD5, RIPEMD, SHA family, Tiger, and WHIRLPOOL. A thoroughly scrutinized and internationally certified one-way hash algorithm is SHA-1, which was developed by the National Institute of Standards and Technology (NIST). SHA-1 has evolved into the international standard ISO/IEC 10118-3:2004.
Continue on Page 2
Reprints
