by Ryan Kenny, Senior Strategic and Technical Marketing at Intel
Brief History of FPGA Bitstream Authentication
Stratic Random Access Memory (SRAM) based FPGAs now have almost twenty years of history in the design of embedded and, recently, standard compute platforms. They provide some of the parallelism and hardware accel- eration benefits of fixed-function ASIC accelerators, but also some of the advantages of programmable processors in that the same chip can be programmed and repro- grammed to perform many functions.
For corporations investing the time, effort, and know- how into designing FPGAs for their embedded systems, the FPGA design itself increasingly became highly valu- able corporate intellectual property requiring protection. So security features were developed by the handful of major FPGA vendors – primary among them being en- cryption of the FPGA bitfile, protected by a secret key. A history of some of these features can be found in an IEEE survey of security published in 2014.
Although protecting the FPGA bitstream from loss or theft was achieved, encryption and a handful of other fea- tures supporting it did not protect the FPGA bitstream from random or deliberate manipulation or malicious replacement in a system. So Saar Drimer (arguably first) and others proposed or discussed the addition of authen- tication capabilities to sensitive bitstreams. External solu- tions were either discussed or offered by companies like Maxim and Infineon.
FPGA vendors then made authentication solutions available in the form of symmetric key hash message authentication codes (HMACs) in the bitstream, au- thenticating modes of the Advanced Encryption Stan- dard (AES-GCM), then eventually full bitstream signa- ture-based authentication.
What HMAC Does and Does Not Do
Combining encryption and HMACs in a bitstream have been a standard practice in FPGA security for some time. If they are implemented in the same process (such as the Galois Counter Mode, AES-GCM) then they likely use a single key for encryption and authentication. If they are separate processes, then it is possible to use two sepa- rate keys, although that then creates the need to identify, store, and protect two different keys.
When using HMAC for authentication and sharing a key for encryption, a compromised key now allows for both loss of IP as well as malicious exploitation of the sys- tem. In addition, symmetric key hashes do not provide a newer security parameter that is addressed in asymmetric key digital signatures: non-repudiation. This is essentially a thread of traceability as to where a compromised bit- stream may come from.
When layering encryption and HMACs together in a bitstream, it is also important to specify the order of op- eration in the FPGA configuration process. Decrypting prior to authentication can generate side channel infor- mation from the encryption process, allowing for other key compromise attacks.
Finally, although initially praised as a ‘dual purpose’ encryption mode, AES-GCM has seen a large number of published vulnerabilities and OpenSSL support security patches over the years that have lowered the overall confi- dence in its robustness.
Experiments in Authenticating Entire Bitstream
Some of the difficulties in using asymmetric keys and digitally signing an entire FPGA bitstream were identified in Drimer’s original paper on FPGA bitstream authenti- cation. This is the issue of the size of the bitstreams (get- ting larger every generation of FPGAs) and inability to buffer all of that data in the FPGA while the signature is being verified. The one bitstream digital signature solu- tion in the FPGA market today exhibits this limitation and incurs that cost on the user: authentication can triple the authentication time of the FPGA.
Introducing ‘Hash Chaining’
One technology with a rising profile in digital security is the ‘block chain’. Block chain security takes advantage of the idea of creating hashes of one block of data with the hash of the last block of data, and carrying this forward such that the accuracy of each hash blocks depends on no tampering with any of the prior blocks.
Although this concept in cryptocurrencies is applied more to ‘transactions in time’ rather than successive data blocks, the utility of ‘hash chaining’ is useful in solving the problem of FPGA bitstream authentication. Blocks similar to the HMACs are still used, but the new ‘hash digests’ will include the hash of current data, as well as the hash of the previous block’s hash digest. This creates a chain of hash dependencies that ensures any tampering or errors anywhere in the authentication process are de- tected in successive stages.
One of the limitations of block chain technology is the raw computing power necessary to add to the block if the system is open-ended. This needn’t be a limitation when the process is limited to a single bitstream authenticated in real-time as part of configuration.
Entire Authentication Process for New Intel FPGAs
The newest generation of Intel FPGAs take advantage of this hash chain in two distinct ways. The first is pro- viding all of the data integrity advantages of the HMAC process for bitstream authentication with the potential of separate keying from encryption (both encryption and authentication will use multiple keys). The second advan-
tage is to provide a single hash chained bitstream header to provide as the data to be digitally assigned using an asymmetric authentication method (elliptic curve digital signature, ECDSA). In this way, the entire bitstream is not digitally signed, but the chained hash digest of the entire bitstream is signed instead. This significantly reduces the computational difficulty of verifying the digital signature and drastically reduces the impact on FPGA configura- tion latency.
In the diagram above, the security enclave of the FPGA (Secure Device Manager, SDM) loads its firmware first which is digitally signed by Intel and optionally by the user, and the user bitstream’s header, including the chained hash digest of the entire bitstream, is signed by the user.
Security solutions, as always, are necessarily incom- plete as measured by the moving target of malicious in- tents and capabilities. FPGA bitstream authentication has evolved and appeared in partial capabilities and limited advances with each new FPGA family. With this latest generational release, hash-based and digital signature solutions are combined for the first time and borrow from commercial block chain concepts to build the next bridge to securing critical FPGA-based intellectual property.
- FPGA Security: Motivations, Features, and Applications. Trimberger, Steve. Proceedings of the IEEE. 8 July, 2014.
- Authentication of FPGA Bitstreams: How and Why, Drimer, Saar. University of Cambridge. 2007.