Anda di halaman 1dari 17

SECURE EMBEDDED PROCESSORS

CHAPTER 1 : INTRODUCTION

As networks incorporate more and more devices and span multiple location effectively removing the network perimeter they become increasingly vulnerable to threats. Such threats include theft of confidential data hacks and malicious code -providing unguarded entry into corporate networks and IT systems. To provide high performance security solutions that protect data, application and infrastructure equipment manufacturers are trying to integrate security solutions even-at the chip level. This need has led to the development of a new class of chip known as secure embedded processors which integrates the security functions and embedded processor in a system-onchip fashion While dedicated processors have be employed widely in communication equipment over the last few years to ensure maximum protection of data, both enterprise and SOHO customers are demanding security be embedded in the networking devices. This need can be satisfied by the use of secure embedded processors, which can be embedded in the devices directly. And a high performance boost and stronger security solution over the current stand-alone security processors Various security protocols included in the security systems are added to the secure embedded processors so that the complete security functions can be off loaded from the host processors. So that it integrates protocol intelligent hardware to a processor The growing need to better protect data communications, while enabling high performance network systems, has driven the demand for a wide range of security processors and secure processors, from stand-alone security coprocessors to protocol-hardened security engines, which have become an essential part of integrated communication processors.

SECURE EMBEDDED PROCESSORS

CHAPTER 2 : REQIURMENTS OF NETWORK SECURITY


The basic requirements of network security are 1. Confidentiality: The data that the user exchange must be prevented from eavesdropping 2. Integrity: The data that is transferred across the network should be prevented from modification 3. Authentication: Identities need to be protected to make sure that information is only exchanged between the intended persons or entities, and that information or service is only available to the users who have appropriate rights to access it To meet this requirement for secure data communication organization deploy a wide range of security measures in their network devices

Typical services that use security measures include

1 2 3 4 5

Enterprise and Access switches and router products Office automation solution and printers VPN and SSL services Intrusion detection and prevention appliances Storage area and network devices

SECURE EMBEDDED PROCESSORS

CHAPTER 3 : FIRST LINE OF DEFENSE


Encryption: In order to secure networks appropriate measures have to be taken such as new firewall and Intrusion prevention systems that identifies and prevent attacks. As more and more data is transferred through the network encryption of all data becomes important .All systems rely on cryptography to ensure confidentiality, authorization, and authentication. And data integrity of communication over potentially unsafe networks such as Internet. Encryption is the foundation for all higher-level security protocols such as Internet Security Protocol, Secure Sockets Layer, Secure Multi Protocol Layer Protocol

Various cryptographic algorithms have been invented and employed to address the increasing demand for the security. Hashing algorithms such as SHA-256 help preserve the data integrity are used for digital signatures Public key algorithm is mainly used for key generation exchange key confidentiality, signing and signature verification while symmetric algorithms are mainly used for data confidentiality

SECURE EMBEDDED PROCESSORS

CHAPTER 4 : GENERAL APPROACHES FOR IMPLEMENTING SECURITY


Generally security can be implemented in a system by different methods. The basics methods are defined below 1. Run security software on a general purpose processors 2. Employ a separate security co-processors 3. Using a single integrated devices known as security enabled processors The above mentioned methods have its own drawbacks software algorithms are generally computation intensive Symmetric encryption and decryption technologies require many bit manipulation operation .Software running on a general processor is often inefficient in performing such operation. The many instruction needed to implement cryptographic operation consume valuable CPU resources. There by adversely affecting the system performance and scalability. Executing security algorithms on a general purpose processor will only be done in a client type situation where a single interactive session is being secured.

SECURE EMBEDDED PROCESSORS

CHAPTER 5 : IMPROVEMENTS FOR SECURITY ALGORITHM

The more effective alternative to software is cryptographic hardware acceleration in silicon. Dedicated hardware allows for efficient, high-performance implementations of cryptographic operations; the hardware logic is specifically designed to perform the cryptographic algorithms, thereby greatly outperforming software. While a general-purpose processor requires many instructions to implement an operation using general-purpose hardware blocks (such as an adder or a shift register), dedicated hardware crypto implementations only use the silicon cells that are strictly needed to perform the cryptographic operation. The efficiency of dedicated hardware also brings along the advantage of reduced power consumption. Another important benefit of hardware implementations is reduced vulnerability. While it may not be very difficult to alter security software running on a general purpose processor, it is far more complex and expensive to tamper with a cryptographic security engine embedded in a chip. In a very simple scenario, the hardware accelerators only implement basic cryptographic operations and operate under full control of an external host processor. The general purpose (host) processor is freed to focus on data processing, communications and exchanging information, such as commands, status, keys, initialization vectors, state information, as well as input and output data with the hardware accelerator. Several alternatives and improvements exist for the scenario described above. First of all, the system can enable more efficient communications with the hardware accelerator by allowing DMA and burst accesses. The host processor therefore doesnt need to work in a synchronous manner with the coprocessor. Instead, the host processor can prepare the data, commands and other information that needs to be processed while continuing with other tasks. This enables the host processor to truly offload cryptographic operations. The cryptographic hardware accelerator can incorporate the DMA controller and perform master accesses on the external bus autonomously. An additional way of offloading security-processing tasks from the host processor is to add processing and protocol intelligence to the cryptographic accelerator. Instead of just performing basic operations, the accelerator can perform multiple operations sequentially (such as encryption followed by a hash operation) and support protocol processing,

SECURE EMBEDDED PROCESSORS

CHAPTER 6 : INTEGRATION OF SECURITY ENGINE AND PROCESSORS

Integrating intelligent hardware security accelerator(s) and a general-purpose host processor into a single chip, known as a security-enabled processor or a secure processor, produces the most efficient and cost-effective solution. A single-chip solution, which integrates an embedded processor with a cryptographic hardware accelerator in a system-on-a-chip fashion, is the best choice for addressing the growing security, cost, and performance requirements. The use of an on-chip bus enables increased performance and maximum security. For instance, sensitive key material can be generated, stored, and used fully on-chip - thereby avoiding exposure to threats outside of the chip. Other benefits of an integrated solution include lower cost and improved integration into networking systems. Both processors include an integrated hardware accelerator, known as a Turbo Security Engine, and embedded processor on a single chip, which makes them ideal for securing communication protocols over wired or wireless networks, for Virtual Private Network (VPN) support, or bulk. Encryption decryption of stored data. The leading edge Turbo Security Engine offered on both processors is optimized for Internet Protocol Security (IPsec), Secure Socket Layer (SSL), Transport Layer Security (TLS), and Secure Real-Time Transport Protocol (SRTP).

SECURE EMBEDDED PROCESSORS

CHAPTER 7 : BLOCK DIAGRAM OF SECURITY ENGINE

Fig 7.1 Block diagram of security engine

7.1 Working of a security engine Different blocks can explain the working of the security engine. The security engine is divided into Master and Slave unit, which is used for separate processing of data Crypto block: This block is mainly used for accelerating different cryptographic operation such as Data Encryption Standard, Triple Data Encryption standard and Advanced Encryption Standard.

SECURE EMBEDDED PROCESSORS

These encryption standards require many bit manipulation operation .The registers inside the block are mainly suited for the implementation of the instruction of the above-mentioned standards Hash block: The function of hash block is to enhance the hashing function such as Secure Hash Algorithm; Middle Digest 5.Hash function is mainly used for the data integrity and digital signatures Public Key accelerator: Public key accelerator is mainly for the acceleration of Public Key Cryptographic Algorithm Kasumi engine: Kasumi engine is used for the kasumi encryption and decryption. Kasumi block cipher is used for security in many wireless standards, which also supports f8 and f9 algorithms in addition to Kasumi encryption and decryption modes TRNG: True Random Number Generators are used for the generation of random numbers and pseudo numbers are generated by the IV, PRNG unit The packet header processors and trailer processors are mainly for the processing of IPSec, The data i.e. plain text, which is to be converted into cipher text, is transferred to the security engine through the Processor Local Bus. The user has to define the type of Cryptographic algorithm used and the number of the bits in the key. The instruction suited for the processor is used to operate the corresponding block in the security engine. Incase of the DES, Triple DES algorithm, Advanced Encryption Standard crypto block is operated and the data is converted into cipher text .The main feature of it is that key can be generated by the processor itself and transferred if required .For hashing algorithms such as Secure Hash Algorithm -256 and Middle Digest 5 hash block gets functioning. The registers and the adders are specially suited inside this block for enhancing the functions

SECURE EMBEDDED PROCESSORS

7.2 Features of security engine The leading edge Turbo Security Engine offered on both processors is optimized for Internet Protocol Security (IPsec), Secure Socket Layer (SSL), Transport Layer Security (TLS), and Secure Real-Time Transport Protocol (SRTP). The special features of the security engine are as described as below: 1. IPv4 and IPv6 packet header and trailer processing for IPsec 2. Packet payload processing for IPsec (AH/ESP), SSL/TLS, and STRP protocols 3. Public key algorithm acceleration such as for RSA and Diffie-Hellman, and 4. Generation of true random numbers for key exchange protocols such as IKE 5. Kasumi block cipher is used for security in many wireless standards. Supports f8 and f9 Algorithms in addition to Kasumi encryption and decryption modes The use of an on-chip bus enables increased performance and maximum security. For instance Sensitive key material can be generated, stored, and used fully on-chip thereby avoiding exposure to threats outside of the chip. Other benefits of an integrated solution include lower cost and improved integration into networking systems.

SECURE EMBEDDED PROCESSORS

10

CHAPTER 8 : SECURE EMBEDDED PROCESSORS


The security engine embedded with the processor provides a high performance boost over the other typical processor. 8.1 Features of secure embedded processors The special features of the processors are Output speed 333 to 667MHz 5-stage FPU with 2.0 MFLOPS/MHz (SP/DP); hardware support for IEEE 754; single-precision and double-precision operation with 32 64-bit Floating-point registers On-chip IPSec/SSL acceleration (optional) NAND Flash controller Supports one to four banks of NAND Flash interfacing to discrete NAND Flash devices Memory devices; direct

(Up to four devices) and Smart Media Card socket (22-

pins); 4-Mbyte - 256-Mbyte devices sizes supported; 512-byte +16-byte or 2-Kbyte +64-byte device page sizes supported; DMA support allows direct, no copy from NAND Flash out to SDRAM; Boot-from-NAND supported On-chip double data rate 2 (DDR2) SDRAM controller with 32/64-bit Interface, 2.6-Gbyte/s- peak data rate and optional ECC Support for two banks DDR2 SDRAM memory of up to 1 Gbyte each, Maximum capacity of 2 Gbytes Support for 256, 512-Mbit and 1-Gbyte DDR2 devices, with CAS Latencies of 2 or 3 32-bit PCI V2.2, 3.3-V interface supporting frequencies of up to 66 MHz USB 2.0 device controller, USB 2.0 Host controller and one on-chip USB 2.0 PHY. A second USB PHY can be attached off-chip via a UTMI Interface. (2) Ethernet 10/100/1000-Mbit/s, full-duplex MACs supporting GMII/ MII, TBI, RTBI, RGMII, SMII interfaces. Memory access layer (MAL) Provides DMA capability to both Ethernet channels Up to 83-MHz, 30-bit address bus, 32-bit data bus external bus control (EBC) interface Support for up to 6 ROM, RAM, or slave peripheral I/O devices 4-channel DMA support for external peripherals External bus master controller for access to internal peripherals Support for memory-to-memory, peripheral-to-memory, and Memory-to-peripheral transfers Scatter/gather capability Processor-intervention block

SECURE EMBEDDED PROCESSORS

11

Up to four UARTs (1x 8-pin, or 2x 4-pin, or 4x 2-pin, or 1x4-pin and 2x2-pin) Two IIC (with one integrated boot strap controller) One SPI serial interface 4-channel DMA available for internal and External use Programmable interrupt controller with 10 external inputs, 54 internalInputs Programmable timers

Fig 8.3 AMCC 440EPx security enabled processor

SECURE EMBEDDED PROCESSORS

12

The PowerPC 440 Core To enhance overall throughput, the PowerPC 440 super scalar core incorporates a 7-stage pipeline and executes up to two instructions per cycle. Its large 32-Kbyte data cache and 32-Kbyte Instruction cache are 64-way set-associative. Versatile configurations enhance performance tuning while optional parity protection preserves data integrity. For additional system performance, the PowerPC 440 core includes dynamic branch prediction and 24 multiply accumulate instructions (MAC) that can be used for signal processing or other numerical tasks, as well as non-blocking caches that can be managed in either write-through or write-back mode. High Performance FPU In addition to its powerful 440 core, the PowerPC 440EPx includes a high-performance FPU. This super scalar FPU supports both single and double precision operations, and offers single cycle throughput on most instructions. The result is exceptional performance in imaging and other calculation intensive applications. Security (Optional) On-chip IPsec/SSL Security acceleration engine supporting DES, 3DES, AES, ARC-4 encryption, MD-5, SHA-1 hashing, HMAC encrypt-hash and hash-decrypt and Kasumi. Also supports public key acceleration for RSA, DSA and Diffie-Hellman, and an on-chip true random number generator. High-Speed Bus Architecture Offering a peak bandwidth of 5.3 Gbytes/s and separate read and write data buses the PowerPC 440EPxs processor local bus (PLB) provides a high bandwidth connection between the processor core and memory controller. Less demanding I/O devices are served by two 32-bit on-chip peripheral buses (OPB). Extensive Memory Support An on-chip double data rate 2 (DDR2) SDRAM controller provides a 32/64-bit memory interface with optional error checking and correcting (ECC) and a 2.6-Gbyte/s peak data rate. It supports two memory banks of up to 1 Gbyte each, for a maximum capacity of 2 Gbytes. An integrated NAND Flash controller allows up to four banks of Flash memory devices to be connected to the processors external peripheral bus. The Flash controller supports device densities up to 512 Mbytes, an optional SmartMedia card interface. Theses devices can be accessed much like diskette drives, with available boot capability.

SECURE EMBEDDED PROCESSORS

13

On-Chip Memory The PowerPC 440EPx offers 16 Kbytes of on-chip memory. PCI Interface The PowerPC 440EPx offers a 32-bit PCI V2.2 interface and supports frequencies of up to 66 MHz. Multiple read prefetch and write post buffers enhance throughput, while the ability to boot the processor from PCI bus memory increases functionality. Dual Ethernet Ports For extensive connectivity options, the 440EPx offers two integrated 10/100/1000 Ethernet ports with Jumbo Frame support. Supports GMII/MII, TBI,RTBI, RGMII, and SMII interfaces. USB Interface The 440EPx includes USB 2.0 host and device controllers and a single on-chip USB 2.0 PHY on chip. A second USB 2.0 PHY can be attached externally via a UTMI interface. External Bus Interface To accommodate connectivity with other devices, the PowerPC 440EPx offers a 32-bit bus supporting up to six ROM, RAM or slave peripheral I/O devices and speeds up to 83 MHz. 4-Channel DMA and external bus mastering and also supported. Standard Peripherals The PowerPC 440EPx offers support for up to 64 general-purpose I/O (GPIO) and two IIC controllers. A serial peripheral interface (SPI), also referred to as a serial communications port (SCP), allows fullduplex, synchronous data exchanges with other serial devices. The 440EPx also supports up to four UARTs in a variety of configurations. A JTAG interface is provided for debugging purposes.

SECURE EMBEDDED PROCESSORS

14

8.2 Throughput of secure embedded processors The throughput of the processor increases due to the implementation of the security engine. This can be verified by the stimulation based performance of the processors .The processors on which this security engine has been implemented is AMCCs Power PC 440EPx and 440GRx The Turbo Security Engine gives the PowerPC 440EPx and 440GRx processors a significant Performance boost over other security-enabled processors available. For IPSec and SRTP packets, the simulation based performance numbers for the full-offload Turbo Security Engine are 472Mbps (3DES, SHA1, 350-byte packets) and 485Mpbs (AES, SHA-1350-byte packets), while freeing the 440EPx and 440GRx processors for running real time applications. SSL/TLS packets throughput for the Turbo Security Engine are 300Mbps (3DES, SHA1, 350-byte packets) and 400Mbps (AES, SHA-1350-byte packets). The below shown graphs represent the throughput of the processors for different protocols such as IPSec, SRTP, SSL/TLS. X-axis represents the number of bytes in the packet and the Y-axis represent the output per second in Mb.

Fig 8.1 Throughput of the processor for IPSec and SRTP

SECURE EMBEDDED PROCESSORS

15

Fig 8.2 Throughput for SSL/TLS protocols

Both processors include a Core Connect Processor Local Bus operating at up to 166MHz (128-bit PLB) with separate read and write data paths, a 64-bit DDR SDRAM controller with ECS protection, a 32-bit PCI Interface, two on-chip 10/100/1000 Mbit/s Ethernet MACs with packet reject inputs, four UARTs, one Serial Communications Port, two IIC units, a NAND-Flash controller, General Purpose I/Os, and a programmable interrupt controller. Ideal for protecting network applications, the 440GRx processor delivers speeds of up to 667MHz and executes up to two instructions per cycle. With the addition of Floating Point Unit and USB 2.0 Host/Device functionality and with speeds of up to 667MHz, the PowerPC 440EPx is an optimal solution for printing/imaging wireless access, industrial and many consumer applications.

SECURE EMBEDDED PROCESSORS

16

CHAPTER 9. CONCLUSION
Sensitive materials can be generated and stored in the chip so that it is not exposed to secure embedded processors can be implemented in the network routers and switches, which demand high security. Since the security functions are mainly implemented by the hardware structure it cannot be easily tampered. The performance boost provided by the security engine makes the processor suitable for Real Time Processing, Printing and imaging, wirless access, industry and many consumer applications threat and data is confidential to the system. The security engine has been implemented in two AMCCs processor, 440GRx, and 440EPx. By integrating the security processing functions into the embedded processor, the communications equipment vendor will realize lower costs, high performance and stronger security than was possible with many standalone security-processing solutions. The main shortcoming of the secure embedded processors is that new security algorithms cannot be implemented without affecting the hardware structure and it will be costly. Although some security solutions may provide adequate protection, the best available solutions are single-chip, security-enabled processors like AMCCs PowerPC 440GPx. In todays world, protecting data of all types across various network environments is no longer just an option, its a must. An integrated chip offers the optimum package combining increased performance and security.

SECURE EMBEDDED PROCESSORS

17

Anda mungkin juga menyukai