Upload
simmi-joshi
View
245
Download
0
Embed Size (px)
Citation preview
8/2/2019 Secure Embedded Processors
1/17
SECURE EMBEDDED PROCESSORS 1
CHAPTER 1 : INTRODUCTION
As networks incorporate more and more devices and span multiple location effectivelyremoving the network perimeter they become increasingly vulnerable to threats. Such threats include
theft of confidential data hacks and malicious code -providing unguarded entry into corporate
networks and IT systems. To provide high performance security solutions that protect data,
application and infrastructure equipment manufacturers are trying to integrate security solutions
even-at the chip level. This need has led to the development of a new class of chip known as secure
embedded processors which integrates the security functions and embedded processor in a system-on-
chip fashion
While dedicated processors have be employed widely in communication equipment over
the last few years to ensure maximum protection of data, both enterprise and SOHO customers are
demanding security be embedded in the networking devices. This need can be satisfied by the use of
secure embedded processors, which can be embedded in the devices directly. And a high performance
boost and stronger security solution over the current stand-alone security processors
Various security protocols included in the security systems are added to the secure embedded
processors so that the complete security functions can be off loaded from the host processors. So that
it integrates protocol intelligent hardware to a processor The growing need to better protect data
communications, while enabling high performance network systems, has driven the demand for a
wide range of security processors and secure processors, from stand-alone security coprocessors to
protocol-hardened security engines, which have become an essential part of integrated
communication processors.
8/2/2019 Secure Embedded Processors
2/17
SECURE EMBEDDED PROCESSORS 2
CHAPTER 2 : REQIURMENTS OF NETWORK SECURITY
The basic requirements of network security are
1.
Confidentiality: The data that the user exchange must be prevented from eavesdropping
2. Integrity: The data that is transferred across the network should be prevented from modification
3. Authentication: Identities need to be protected to make sure that information is only exchanged
between the intended persons or entities, and that information or service is only available to the users
who have appropriate rights to access it
To meet this requirement for secure data communication organization deploy a wide range of security
measures in their network devices
Typical services that use security measures include
1 Enterprise and Access switches and router products
2 Office automation solution and printers
3 VPN and SSL services
4 Intrusion detection and prevention appliances
5 Storage area and network devices
8/2/2019 Secure Embedded Processors
3/17
SECURE EMBEDDED PROCESSORS 3
CHAPTER 3 : FIRST LINE OF DEFENSE
Encryption: In order to secure networks appropriate measures have to be taken such as new firewall
and Intrusion prevention systems that identifies and prevent attacks. As more and more data is
transferred through the network encryption of all data becomes important .All systems rely on
cryptography to ensure confidentiality, authorization, and authentication. And data integrity of
communication over potentially unsafe networks such as Internet. Encryption is the foundation for all
higher-level security protocols such as Internet Security Protocol, Secure Sockets Layer, Secure Multi
Protocol Layer Protocol
Various cryptographic algorithms have been invented and employed to address
the increasing demand for the security. Hashing algorithms such as SHA-256 help preserve the data
integrity are used for digital signatures Public key algorithm is mainly used for key generation
exchange key confidentiality, signing and signature verification while symmetric algorithms are
mainly used for data confidentiality
8/2/2019 Secure Embedded Processors
4/17
SECURE EMBEDDED PROCESSORS 4
CHAPTER 4 : GENERAL APPROACHES FOR IMPLEMENTING
SECURITY
Generally security can be implemented in a system by different methods. The basics methods are
defined below
1. Run security software on a general purpose processors
2. Employ a separate security co-processors
3. Using a single integrated devices known as security enabled processors
The above mentioned methods have its own drawbacks software algorithms are generally
computation intensive Symmetric encryption and decryption technologies require many bit
manipulation operation .Software running on a general processor is often inefficient in performing
such operation. The many instruction needed to implement cryptographic operation consume valuable
CPU resources. There by adversely affecting the system performance and scalability. Executing
security algorithms on a general purpose processor will only be done in a client type situation where a
single interactive session is being secured.
8/2/2019 Secure Embedded Processors
5/17
SECURE EMBEDDED PROCESSORS 5
CHAPTER 5 : IMPROVEMENTS FOR SECURITY ALGORITHM
The more effective alternative to software is cryptographic hardware acceleration in silicon.
Dedicated hardware allows for efficient, high-performance implementations of cryptographic
operations; the hardware logic is specifically designed to perform the cryptographic algorithms,
thereby greatly outperforming software. While a general-purpose processor requires many
instructions to implement an operation using general-purpose hardware blocks (such as an adder or a
shift register), dedicated hardware crypto implementations only use the silicon cells that are strictly
needed to perform the cryptographic operation. The efficiency of dedicated hardware also brings
along the advantage of reduced power consumption.
Another important benefit of hardware implementations is reduced vulnerability. While it may not be
very difficult to alter security software running on a general purpose processor, it is far more complex
and expensive to tamper with a cryptographic security engine embedded in a chip. In a very simple
scenario, the hardware accelerators only implement basic cryptographic operations and operate under
full control of an external host processor. The general purpose (host) processor is freed to focus on
data processing, communications and exchanging information, such as commands, status, keys,
initialization vectors, state information, as well as input and output data with the hardware
accelerator.
Several alternatives and improvements exist for the scenario described above. First of all, the system
can enable more efficient communications with the hardware accelerator by allowing DMA and burst
accesses. The host processor therefore doesnt need to work in a synchronous manner with the
coprocessor. Instead, the host processor can prepare the data, commands and other information that
needs to be processed while continuing with other tasks. This enables the host processor to truly
offload cryptographic operations. The cryptographic hardware accelerator can incorporate the DMA
controller and perform master accesses on the external bus autonomously. An additional way of
offloading security-processing tasks from the host processor is to add processing and protocol
intelligence to the cryptographic accelerator. Instead of just performing basic operations, the
accelerator can perform multiple operations sequentially (such as encryption followed by a hash
operation) and support protocol processing,
8/2/2019 Secure Embedded Processors
6/17
SECURE EMBEDDED PROCESSORS 6
CHAPTER 6 : INTEGRATION OF SECURITY ENGINE AND
PROCESSORS
Integrating intelligent hardware security accelerator(s) and a general-purpose host processor into a
single chip, known as a security-enabled processor or a secure processor, produces the most efficient
and cost-effective solution. A single-chip solution, which integrates an embedded processor with a
cryptographic hardware accelerator in a system-on-a-chip fashion, is the best choice for addressing
the growing security, cost, and performance requirements. The use of an on-chip bus enables
increased performance and maximum security. For instance, sensitive key material can be generated,
stored, and used fully on-chip - thereby avoiding exposure to threats outside of the chip. Other
benefits of an integrated solution include lower cost and improved integration into networking
systems.
Both processors include an integrated hardware accelerator, known as a Turbo Security Engine, and
embedded processor on a single chip, which makes them ideal for securing communication protocols
over wired or wireless networks, for Virtual Private Network (VPN) support, or bulk. Encryption
decryption of stored data. The leading edge Turbo Security Engine offered on both processors is
optimized for Internet Protocol Security (IPsec), Secure Socket Layer (SSL), Transport Layer
Security (TLS), and Secure Real-Time Transport Protocol (SRTP).
8/2/2019 Secure Embedded Processors
7/17
SECURE EMBEDDED PROCESSORS 7
CHAPTER 7 : BLOCK DIAGRAM OF SECURITY ENGINE
Fig 7.1 Block diagram of security engine
7.1 Working of a security engine
Different blocks can explain the working of the security engine. The security engine is divided into
Master and Slave unit, which is used for separate processing of data
Crypto block: This block is mainly used for accelerating different cryptographic operation such as
Data Encryption Standard, Triple Data Encryption standard and Advanced Encryption Standard.
8/2/2019 Secure Embedded Processors
8/17
SECURE EMBEDDED PROCESSORS 8
These encryption standards require many bit manipulation operation .The registers inside the block
are mainly suited for the implementation of the instruction of the above-mentioned standards
Hash block: The function of hash block is to enhance the hashing function such as Secure Hash
Algorithm; Middle Digest 5.Hash function is mainly used for the data integrity and digital signatures
Public Key accelerator: Public key accelerator is mainly for the acceleration of Public Key
Cryptographic Algorithm
Kasumi engine: Kasumi engine is used for the kasumi encryption and decryption. Kasumi block cipher
is used for security in many wireless standards, which also supports f8 and f9 algorithms in addition to
Kasumi encryption and decryption modes
TRNG: True Random Number Generators are used for the generation of random numbers and pseudo
numbers are generated by the IV, PRNG unit
The packet header processors and trailer processors are mainly for the processing of IPSec,
The data i.e. plain text, which is to be converted into cipher text, is
transferred to the security engine through the Processor Local Bus. The user has to define the type of
Cryptographic algorithm used and the number of the bits in the key. The instruction suited for the
processor is used to operate the corresponding block in the security engine. Incase of the DES, Triple
DES algorithm, Advanced Encryption Standard crypto block is operated and the data is converted
into cipher text .The main feature of it is that key can be generated by the processor itself and
transferred if required .For hashing algorithms such as Secure Hash Algorithm -256 and Middle
Digest 5 hash block gets functioning. The registers and the adders are specially suited inside this
block for enhancing the functions
8/2/2019 Secure Embedded Processors
9/17
SECURE EMBEDDED PROCESSORS 9
7.2 Features of security engine
The leading edge Turbo Security Engine offered on both processors is
optimized for Internet Protocol Security (IPsec), Secure Socket Layer (SSL), Transport Layer Security
(TLS), and Secure Real-Time Transport Protocol (SRTP).
The special features of the security engine are as described as below:
1. IPv4 and IPv6 packet header and trailer processing for IPsec
2. Packet payload processing for IPsec (AH/ESP), SSL/TLS, and STRP protocols
3. Public key algorithm acceleration such as for RSA and Diffie-Hellman, and
4. Generation of true random numbers for key exchange protocols such as IKE
5. Kasumi block cipher is used for security in many wireless standards. Supports f8 and f9
Algorithms in addition to Kasumi encryption and decryption modes
The use of an on-chip bus enables increased performance and maximum security. For instance
Sensitive key material can be generated, stored, and used fully on-chip thereby avoiding exposure to
threats outside of the chip. Other benefits of an integrated solution include lower cost and improved
integration into networking systems.
8/2/2019 Secure Embedded Processors
10/17
SECURE EMBEDDED PROCESSORS 10
CHAPTER 8 : SECURE EMBEDDED PROCESSORS
The security engine embedded with the processor provides a high performance boost over the other
typical processor.
8.1 Features of secure embedded processors
The special features of the processors are
Output speed 333 to 667MHz
5-stage FPU with 2.0 MFLOPS/MHz (SP/DP); hardware support for IEEE 754; single-precision and
double-precision operation with 32 64-bit Floating-point registers
On-chip IPSec/SSL acceleration (optional)
NAND Flash controller Supports one to four banks of NAND Flash Memory devices; direct
interfacing to discrete NAND Flash devices (Up to four devices) and Smart Media Card socket (22-
pins); 4-Mbyte - 256-Mbyte devices sizes supported; 512-byte +16-byte or 2-Kbyte
+64-byte device page sizes supported; DMA support allows direct, no Processor-intervention block
copy from NAND Flash out to SDRAM; Boot-from-NAND supported
On-chip double data rate 2 (DDR2) SDRAM controller with 32/64-bit Interface, 2.6-Gbyte/s- peak
data rate and optional ECC
Support for two banks DDR2 SDRAM memory of up to 1 Gbyte each, Maximum capacity of 2 Gbytes Support for 256, 512-Mbit and 1-Gbyte DDR2 devices, with CAS Latencies of 2 or 3
32-bit PCI V2.2, 3.3-V interface supporting frequencies of up to 66 MHz
USB 2.0 device controller, USB 2.0 Host controller and one on-chip USB 2.0 PHY. A second USB
PHY can be attached off-chip via a UTMI Interface.
(2) Ethernet 10/100/1000-Mbit/s, full-duplex MACs supporting GMII/ MII, TBI, RTBI, RGMII, SMII
interfaces. Memory access layer (MAL) Provides DMA capability to both Ethernet channels
Up to 83-MHz, 30-bit address bus, 32-bit data bus external bus control (EBC) interface
Support forup to 6 ROM, RAM, or slave peripheral I/O devices
4-channel DMA support for external peripherals
External bus master controller for access to internal peripherals
Support for memory-to-memory, peripheral-to-memory, and Memory-to-peripheral transfers
Scatter/gather capability
8/2/2019 Secure Embedded Processors
11/17
SECURE EMBEDDED PROCESSORS 11
Up to four UARTs (1x 8-pin, or 2x 4-pin, or 4x 2-pin, or 1x4-pin and 2x2-pin)
Two IIC (with one integrated boot strap controller)
One SPI serial interface 4-channel DMAavailable for internal and External use
Programmable interrupt controller with 10 external inputs, 54 internalInputs
Programmable timers
Fig 8.3 AMCC 440EPx security enabled processor
8/2/2019 Secure Embedded Processors
12/17
SECURE EMBEDDED PROCESSORS 12
The PowerPC 440 Core
To enhance overall throughput, the PowerPC 440 super scalar core incorporates a 7-stage pipeline
and executes up to two instructions per cycle. Its large 32-Kbyte data cache and 32-Kbyte
Instruction cache are 64-way set-associative. Versatile configurations enhance performance
tuning while optional parity protection preserves data integrity. For additional system performance,
the PowerPC 440 core includes dynamic branch prediction and 24 multiply accumulate instructions
(MAC) that can be used for signal processing or other numerical tasks, as well as non-blocking caches that
can be managed in either write-through or write-back mode.
High Performance FPU
In addition to its powerful 440 core, the PowerPC 440EPx includes a high-performance FPU. This
super scalar FPU supports both single and double precision operations, and offers single cycle
throughput on most instructions. The result is exceptional performance in imaging and other
calculation intensive applications.
Security (Optional)
On-chip IPsec/SSL Security acceleration engine supporting DES, 3DES, AES, ARC-4 encryption,
MD-5, SHA-1 hashing, HMAC encrypt-hash and hash-decrypt and Kasumi. Also supports public key
acceleration for RSA, DSA and Diffie-Hellman, and an on-chip true random number generator.
High-Speed Bus Architecture
Offering a peak bandwidth of 5.3 Gbytes/s and separate read and write data buses the PowerPC
440EPxs processor local bus (PLB) provides a high bandwidth connection between the processor
core and memory controller. Less demanding I/O devices are served by two 32-bit on-chip
peripheral buses (OPB).
Extensive Memory Support
An on-chip double data rate 2 (DDR2) SDRAM controller provides a 32/64-bit memory interface
with optional error checking and correcting (ECC) and a 2.6-Gbyte/s peak data rate. It supports twomemory banks of up to 1 Gbyte each, for a maximum capacity of 2 Gbytes. An integrated
NAND Flash controller allows up to four banks of Flash memory devices to be connected to the
processors external peripheral bus. The Flash controller supports device densities up to 512
Mbytes, an optional SmartMedia card interface. Theses devices can be accessed much like diskette
drives, with available boot capability.
8/2/2019 Secure Embedded Processors
13/17
SECURE EMBEDDED PROCESSORS 13
On-Chip Memory
The PowerPC 440EPx offers 16 Kbytes of on-chip memory.
PCI Interface
The PowerPC 440EPx offers a 32-bit PCI V2.2 interface and supports frequencies of up to 66
MHz. Multiple read prefetch and write post buffers enhance throughput, while the ability to boot the
processor from PCI bus memory increases functionality.
Dual Ethernet Ports
For extensive connectivity options, the 440EPx offers two integrated 10/100/1000 Ethernet ports
with Jumbo Frame support. Supports GMII/MII, TBI,RTBI, RGMII, and SMII interfaces.
USB Interface
The 440EPx includes USB 2.0 host and device controllers and a single on-chip USB 2.0 PHY on
chip. A second USB 2.0 PHY can be attached externally via a UTMI interface.
External Bus Interface
To accommodate connectivity with other devices, the PowerPC 440EPx offers a 32-bit bus supporting
up to six ROM, RAM or slave peripheral I/O devices and speeds up to 83 MHz. 4-Channel DMA and
external bus mastering and also supported.
Standard Peripherals
The PowerPC 440EPx offers support for up to 64 general-purpose I/O (GPIO) and two IIC controllers.
A serial peripheral interface (SPI), also referred to as a serial communications port (SCP), allows
fullduplex, synchronous data exchanges with other serial devices. The 440EPx also supports up to four
UARTs in a variety of configurations. A JTAG interface is provided for debugging purposes.
8/2/2019 Secure Embedded Processors
14/17
SECURE EMBEDDED PROCESSORS 14
8.2 Throughput of secure embedded processors
The throughput of the processor increases due to the implementation of the security engine. This can
be verified by the stimulation based performance of the processors .The processors on which this
security engine has been implemented is AMCCs Power PC 440EPx and 440GRx
The Turbo Security Engine gives the PowerPC 440EPx and 440GRx processors a significant
Performance boost over other security-enabled processors available. For IPSec and SRTP packets, the
simulation based performance numbers for the full-offload Turbo Security Engine are 472Mbps (3DES,
SHA1, 350-byte packets) and 485Mpbs (AES, SHA-1350-byte packets), while freeing the 440EPx and
440GRx processors for running real time applications. SSL/TLS packets throughput for the Turbo
Security Engine are 300Mbps (3DES, SHA1, 350-byte packets) and 400Mbps (AES, SHA-1350-byte
packets).
The below shown graphs represent the throughput of the processors for different protocols such as
IPSec, SRTP, SSL/TLS. X-axis represents the number of bytes in the packet and the Y-axis represent
the output per second in Mb.
Fig 8.1 Throughput of the processor for IPSec and SRTP
8/2/2019 Secure Embedded Processors
15/17
SECURE EMBEDDED PROCESSORS 15
Fig 8.2 Throughput for SSL/TLS protocols
Both processors include a Core Connect Processor Local Bus operating at up to
166MHz (128-bit PLB) with separate read and write data paths, a 64-bit DDR SDRAM controller
with ECS protection, a 32-bit PCI Interface, two on-chip 10/100/1000 Mbit/s Ethernet MACs with
packet reject inputs, four UARTs, one Serial Communications Port, two IIC units, a NAND-Flash
controller, General Purpose I/Os, and a programmable interrupt controller. Ideal for protecting
network applications, the 440GRx processor delivers speeds of up to 667MHz and executes up to two
instructions per cycle. With the addition of Floating Point Unit and USB 2.0 Host/Device
functionality and with speeds of up to 667MHz, the PowerPC 440EPx is an optimal solution for
printing/imaging wireless access, industrial and many consumer applications.
8/2/2019 Secure Embedded Processors
16/17
SECURE EMBEDDED PROCESSORS 16
CHAPTER 9. CONCLUSION
Sensitive materials can be generated and stored in the chip so that it is not exposed to secure
embedded processors can be implemented in the network routers and switches, which demand high
security. Since the security functions are mainly implemented by the hardware structure it cannot be
easily tampered. The performance boost provided by the security engine makes the processor suitable
for Real Time Processing, Printing and imaging, wirless access, industry and many consumer
applications threat and data is confidential to the system. The security engine has been implemented
in two AMCCs processor, 440GRx, and 440EPx. By integrating the security processing functions
into the embedded processor, the communications equipment vendor will realize lower costs, high
performance and stronger security than was possible with many standalone security-processing
solutions.
The main shortcoming of the secure embedded processors is that
new security algorithms cannot be implemented without affecting the hardware structure and it will
be costly. Although some security solutions may provide adequate protection, the best available
solutions are single-chip, security-enabled processors like AMCCs PowerPC 440GPx. In todays
world, protecting data of all types across various network environments is no longer just an option,
its a must. An integrated chip offers the optimum package combining increased performance andsecurity.
8/2/2019 Secure Embedded Processors
17/17
SECURE EMBEDDED PROCESSORS 17