Patent Application
20150363333
Many emerging applications require physical security as well as conventional security against software attacks. For example, in Digital Rights Management (DRM), the owner of a computer system is motivated to break the system security to make illegal copies of protected digital content.
Similarly, mobile agent applications require that sensitive electronic transactions be performed on untrusted hosts. The hosts may be under the control of an adversary who is financially motivated to break the system and alter the behavior of a mobile agent. Therefore, physical security is essential for enabling many applications in the Internet era.
Conventional approaches to build physically secure systems are based on building processing systems containing processor and memory elements in a private and tamper-proof environment that is typically implemented using active intrusion detectors. Providing high-grade tamper resistance can be quite expensive. Moreover, the applications of these systems are limited to performing a small number of security critical operations because system computation power is limited by the components that can be enclosed in a small tamper-proof package. In addition, these processors are not flexible, e.g., their memory or I/O subsystems cannot be upgraded easily.
Just requiring tamper-resistance for a single processor chip would significantly enhance the amount of secure computing power, making possible applications with heavier computation requirements. Secure processors have been recently proposed, where only a single processor chip is trusted and the operations of all other components including off-chip memory are verified by the processor.
To enable single-chip secure processors, two main primitives, which prevent an attacker from tampering with the off-chip untrusted memory, have to be developed: memory integrity verification and encryption. Integrity verification checks if an adversary changes a running program's state. If any corruption is detected, then the processor aborts the tasks that were tampered with to avoid producing incorrect results. Encryption ensures the privacy of data stored in the off-chip memory.
To be worthwhile, the verification and encryption schemes must not impose too great a performance penalty on the computation.
Given off-chip memory integrity verification, secure processors can provide tamper-evident (TE) environments where software processes can run in an authenticated environment, such that any physical tampering or software tampering by an adversary is guaranteed to be detected. TE environments enable applications such as certified execution and commercial grid computing, where computation power can be sold with the guarantee of a compute environment that processes data correctly. The performance overhead of the TE processing largely depends on the performance of the integrity verification.
With both integrity verification and encryption, secure processors can provide private and authenticated tamper resistant (PTR) environments where, additionally, an adversary is unable to obtain any information about software and data within the environment by tampering with, or otherwise observing, system operation. PTR environments can enable Trusted Third Party computation, secure mobile agents, and Digital Rights Management (DRM) applications.
An on the fly encryption engine is shown that is operable to encrypt data being written to a multi segment external memory, and is also operable to decrypt data being read from encrypted segments of the external memory. A Message Authentication Code (MAC) is also computed after memory writes and is written to the external memory with the encrypted data. During reads of an encrypted memory segment the MAC is again computed, and the results are compared with the MAC written during encrypted write operations. In case of a mismatch of the computed and the written MAC, an error is signaled to the processor indicating invalid data.
These and other aspects of this invention are illustrated in the drawings, in which:
While there is no restriction on the method of encryption employed, the implementation described here is based on the Advanced Encryption Standard (AES).
AES is a block cipher with a block length of 128 bits. Three different key lengths are allowed by the standard: 128, 192 or 256 bits. Encryption consists of 10 rounds of processing for 128 bit keys, 12 rounds for 192 bit keys and 14 rounds for 256 bit keys.
Each round of processing includes one single-byte based substitution step, a row-wise permutation step, a column-wise mixing step, and the addition of the round key. The order in which these four steps are executed is different for encryption and decryption.
The round keys are generated by an expansion of the key into a key schedule consisting of 44 4-byte words.
During decryption the 128 bit cipher text block 206 is provided to 207, where it is added to the last round key—the round key used by round 10 during encryption. This operation is followed by computing rounds 1 through 10 using the appropriate round keys in reverse order than their use during encryption. The output of 208, round 10 is the 128 bit plain text block 209.
Configuration data is input from bus 306 to the configuration block 301. AES core block 302 contains 12 AES cores and 6 GMAC cores which perform the cryptographic work.
This block performs the appropriate AES/GMAC/CBC-MAC operation defined by the scheduler.
Half of the AES and GMAC cores are assigned to RD path and the other half to the WRT path.
Since GMAC cores operate twice has fast as the AES cores, therefore half as many are required.
The AES operations have 2 modes of operations called AES CTR and ECB+.
AES CTR is optimized for write once and read <n> times per unique Key update.
ECB+ is optimized for write <n> and read <n> times per unique Key update.
Command Buffer Block 303 tracks and stores all active transactions by accepting new transactions submitted on the data bus 305. It tracks the External Memory Interface (EMIF) responses to the submitted commands to the EMIF. With this information OTFA_EMIF has the ability to determine which command is associated with the EMIF response. This is required to determine which command and address is associated with the read data the EMIF is presenting.
Scheduler block 304 is the main control block which controls
Data path routing is simple routing of the data sources for the AES operation. There are 2 possible data sources, the input write data and EMIF read data. Read data is required for read transactions or write transactions that require an internal read modify write operation.
The scheduler block will issue an internal Read Modify Write operation during the following conditions:
During ECB+ write operation when any of the byte enables are not active for each 16 Byte transfer.
During write operation when MAC is enabled and the block being written is not a complete 32 Byte transfer.
The scheduler block will issue a modified Read command when accessing a MAC enabled region when the Read command is not a multiple of 32 Bytes. These operations are shown in Table 1.
During encryption, the scheduler will first determine if this address is in a Crypto Region, if not then bypass the Crypto Cores.
If the address is a hit for Crypto operation, it determines the type of operation based on the Encryption mode and Authentication mode for that region.
It will then schedule the required Crypto tasks for the Crypto Cores to implement that function including the HASH calculation.
It checks to see if a read/modify/write is required, then schedule a appropriate command.
During decryption the scheduler will first determine if this address is in a Crypto Region, if not then bypass the Crypto Cores.
If the address is a hit for Crypto operation, it determines the type of operation based on the Encryption mode and Authentication mode for that region.
Based on this information it will determine if it can start an early Crypto operation before the command is sent to the memory and before the read data is returned by the memory. This early operation enables high performance since the Crypto operation is started before the read data is sent back.
Also, it will check the HASH CACHE to determine if this command has a HIT, if a MISS the it will issue a HASH read before the read command is sent.
When the RD_DATA is sent back, a Scoreboard is used to determine which command it was associated with, this allows out of order commands to the external memory and out of order read data from the memory.
Once the read data arrives, the data will get sent to the Crypto Cores for processing.
For some types of Crypto Operations a Speculative Read Crypto operation can start when the Read command is sent to the Memory System. The result of this operation is stored in a Speculative Read Crypto Cache which enables the out of order response from the Memory System.
The Crypto Cores are a set of cores which can get used by encryption or decryption operations. The interface is simple, FIFO like with backpressure. If read traffic is 50% and write traffic is 50% then the allocation can be balanced. If write traffic is higher more Crypto Cores may be allocated to the write traffic.
This can get done by a static allocation, like a 60 to 40 split or it can get done by a dynamic allocation to adapt to the current traffic patterns. This will insure the maximum utilization of the Crypto Cores.
The region checking function will verify that a command will not cross memory regions. If regions are crossed the command will be blocked. For WR DATA it will null all byte enables. For RD DATA will force zero on all DATA. A secure Error event is sent to the kernel. This prevents bad or malicious code from corrupting a secure area or getting access to a secure area.
The dictionary checker function will verify that the command is not doing a Dictionary attack by accessing the same memory location multiple times. If it violates these rules it will block the WR command from issuing a Crypto Operation and will null all byte enables. A secure Error event is sent to the kernel. This prevents bad or malicious code from determining the Crypto Keys used making the brute force attack the only possible method to break the encryption.
AES block 302 requires the following inputs:
The AES operation produces an encrypted or decrypted data word.
The MAC operation produces a MAC for Read and Write operations.
Table 2 defines the possible combinations of Encryption modes and Authentication modes. A total of 9 combinations are allowed. Note GCM is AES-CTR+GMAC and CCM is AES-CTR+CBC-MAC.
AES mode 0 is shown in
AES mode 1 is shown in
