Secure Embedded Processors

8/2/2019 Secure Embedded Processors

1/17

SECURE EMBEDDED PROCESSORS 1

CHAPTER 1 : INTRODUCTION

As networks incorporate more and more devices and span multiple location effectivelyremoving the network perimeter they become increasingly vulnerable to threats. Such threats include

theft of confidential data hacks and malicious code -providing unguarded entry into corporate

networks and IT systems. To provide high performance security solutions that protect data,

application and infrastructure equipment manufacturers are trying to integrate security solutions

even-at the chip level. This need has led to the development of a new class of chip known as secure

embedded processors which integrates the security functions and embedded processor in a system-on-

chip fashion

While dedicated processors have be employed widely in communication equipment over

the last few years to ensure maximum protection of data, both enterprise and SOHO customers are

demanding security be embedded in the networking devices. This need can be satisfied by the use of

secure embedded processors, which can be embedded in the devices directly. And a high performance

boost and stronger security solution over the current stand-alone security processors

Various security protocols included in the security systems are added to the secure embedded

processors so that the complete security functions can be off loaded from the host processors. So that

it integrates protocol intelligent hardware to a processor The growing need to better protect data

communications, while enabling high performance network systems, has driven the demand for a

wide range of security processors and secure processors, from stand-alone security coprocessors to

protocol-hardened security engines, which have become an essential part of integrated

communication processors.


2/17


CHAPTER 2 : REQIURMENTS OF NETWORK SECURITY

The basic requirements of network security are

1.

Confidentiality: The data that the user exchange must be prevented from eavesdropping

2. Integrity: The data that is transferred across the network should be prevented from modification

3. Authentication: Identities need to be protected to make sure that information is only exchanged

between the intended persons or entities, and that information or service is only available to the users

who have appropriate rights to access it

To meet this requirement for secure data communication organization deploy a wide range of security

measures in their network devices

Typical services that use security measures include

1 Enterprise and Access switches and router products

2 Office automation solution and printers

3 VPN and SSL services

4 Intrusion detection and prevention appliances

5 Storage area and network devices


3/17


CHAPTER 3 : FIRST LINE OF DEFENSE

Encryption: In order to secure networks appropriate measures have to be taken such as new firewall

and Intrusion prevention systems that identifies and prevent attacks. As more and more data is

transferred through the network encryption of all data becomes important .All systems rely on

cryptography to ensure confidentiality, authorization, and authentication. And data integrity of

communication over potentially unsafe networks such as Internet. Encryption is the foundation for all

higher-level security protocols such as Internet Security Protocol, Secure Sockets Layer, Secure Multi

Protocol Layer Protocol

Various cryptographic algorithms have been invented and employed to address

the increasing demand for the security. Hashing algorithms such as SHA-256 help preserve the data

integrity are used for digital signatures Public key algorithm is mainly used for key generation

exchange key confidentiality, signing and signature verification while symmetric algorithms are

mainly used for data confidentiality


4/17


CHAPTER 4 : GENERAL APPROACHES FOR IMPLEMENTING

SECURITY

Generally security can be implemented in a system by different methods. The basics methods are

defined below

1. Run security software on a general purpose processors

2. Employ a separate security co-processors

3. Using a single integrated devices known as security enabled processors

The above mentioned methods have its own drawbacks software algorithms are generally

computation intensive Symmetric encryption and decryption technologies require many bit

manipulation operation .Software running on a general processor is often inefficient in performing

such operation. The many instruction needed to implement cryptographic operation consume valuable

CPU resources. There by adversely affecting the system performance and scalability. Executing

security algorithms on a general purpose processor will only be done in a client type situation where a

single interactive session is being secured.


5/17


CHAPTER 5 : IMPROVEMENTS FOR SECURITY ALGORITHM

The more effective alternative to software is cryptographic hardware acceleration in silicon.

Dedicated hardware allows for efficient, high-performance implementations of cryptographic

operations; the hardware logic is specifically designed to perform the cryptographic algorithms,

thereby greatly outperforming software. While a general-purpose processor requires many

instructions to implement an operation using general-purpose hardware blocks (such as an adder or a

shift register), dedicated hardware crypto implementations only use the silicon cells that are strictly

needed to perform the cryptographic operation. The efficiency of dedicated hardware also brings

along the advantage of reduced power consumption.

Another important benefit of hardware implementations is reduced vulnerability. While it may not be

very difficult to alter security software running on a general purpose processor, it is far more complex

and expensive to tamper with a cryptographic security engine embedded in a chip. In a very simple

scenario, the hardware accelerators only implement basic cryptographic operations and operate under

full control of an external host processor. The general purpose (host) processor is freed to focus on

data processing, communications and exchanging information, such as commands, status, keys,

initialization vectors, state information, as well as input and output data with the hardware

accelerator.

Several alternatives and improvements exist for the scenario described above. First of all, the system

can enable more efficient communications with the hardware accelerator by allowing DMA and burst

accesses. The host processor therefore doesnt need to work in a synchronous manner with the

coprocessor. Instead, the host processor can prepare the data, commands and other information that

needs to be processed while continuing with other tasks. This enables the host processor to truly

offload cryptographic operations. The cryptographic hardware accelerator can incorporate the DMA

controller and perform master accesses on the external bus autonomously. An additional way of

offloading security-processing tasks from the host processor is to add processing and protocol

intelligence to the cryptographic accelerator. Instead of just performing basic operations, the

accelerator can perform multiple operations sequentially (such as encryption followed by a hash

operation) and support protocol processing,


6/17


CHAPTER 6 : INTEGRATION OF SECURITY ENGINE AND

PROCESSORS

Integrating intelligent hardware security accelerator(s) and a general-purpose host processor into a

single chip, known as a security-enabled processor or a secure processor, produces the most efficient

and cost-effective solution. A single-chip solution, which integrates an embedded processor with a

cryptographic hardware accelerator in a system-on-a-chip fashion, is the best choice for addressing

the growing security, cost, and performance requirements. The use of an on-chip bus enables

increased performance and maximum security. For instance, sensitive key material can be generated,

stored, and used fully on-chip - thereby avoiding exposure to threats outside of the chip. Other

benefits of an integrated solution include lower cost and improved integration into networking

systems.

Both processors include an integrated hardware accelerator, known as a Turbo Security Engine, and

embedded processor on a single chip, which makes them ideal for securing communication protocols

over wired or wireless networks, for Virtual Private Network (VPN) support, or bulk. Encryption

decryption of stored data. The leading edge Turbo Security Engine offered on both processors is

optimized for Internet Protocol Security (IPsec), Secure Socket Layer (SSL), Transport Layer

Security (TLS), and Secure Real-Time Transport Protocol (SRTP).


7/17


CHAPTER 7 : BLOCK DIAGRAM OF SECURITY ENGINE

Fig 7.1 Block diagram of security engine

7.1 Working of a security engine

Different blocks can explain the working of the security engine. The security engine is divided into

Master and Slave unit, which is used for separate processing of data

Crypto block: This block is mainly used for accelerating different cryptographic operation such as

Data Encryption Standard, Triple Data Encryption standard and Advanced Encryption Standard.


8/17


These encryption standards require many bit manipulation operation .The registers inside the block

are mainly suited for the implementation of the instruction of the above-mentioned standards

Hash block: The function of hash block is to enhance the hashing function such as Secure Hash

Algorithm; Middle Digest 5.Hash function is mainly used for the data integrity and digital signatures

Public Key accelerator: Public key accelerator is mainly for the acceleration of Public Key

Cryptographic Algorithm

Kasumi engine: Kasumi engine is used for the kasumi encryption and decryption. Kasumi block cipher

is used for security in many wireless standards, which also supports f8 and f9 algorithms in addition to

Kasumi encryption and decryption modes

TRNG: True Random Number Generators are used for the generation of random numbers and pseudo

numbers are generated by the IV, PRNG unit

The packet header processors and trailer processors are mainly for the processing of IPSec,

The data i.e. plain text, which is to be converted into cipher text, is

transferred to the security engine through the Processor Local Bus. The user has to define the type of

Cryptographic algorithm used and the number of the bits in the key. The instruction suited for the

processor is used to operate the corresponding block in the security engine. Incase of the DES, Triple

DES algorithm, Advanced Encryption Standard crypto block is operated and the data is converted

into cipher text .The main feature of it is that key can be generated by the processor itself and

transferred if required .For hashing algorithms such as Secure Hash Algorithm -256 and Middle

Digest 5 hash block gets functioning. The registers and the adders are specially suited inside this

block for enhancing the functions


9/17


7.2 Features of security engine

The leading edge Turbo Security Engine offered on both processors is

optimized for Internet Protocol Security (IPsec), Secure Socket Layer (SSL), Transport Layer Security

(TLS), and Secure Real-Time Transport Protocol (SRTP).

The special features of the security engine are as described as below:

1. IPv4 and IPv6 packet header and trailer processing for IPsec

2. Packet payload processing for IPsec (AH/ESP), SSL/TLS, and STRP protocols

3. Public key algorithm acceleration such as for RSA and Diffie-Hellman, and

4. Generation of true random numbers for key exchange protocols such as IKE

5. Kasumi block cipher is used for security in many wireless standards. Supports f8 and f9

Algorithms in addition to Kasumi encryption and decryption modes

The use of an on-chip bus enables increased performance and maximum security. For instance

Sensitive key material can be generated, stored, and used fully on-chip thereby avoiding exposure to

threats outside of the chip. Other benefits of an integrated solution include lower cost and improved

integration into networking systems.


10/17


CHAPTER 8 : SECURE EMBEDDED PROCESSORS

The security engine embedded with the processor provides a high performance boost over the other

typical processor.

8.1 Features of secure embedded processors

The special features of the processors are

Output speed 333 to 667MHz

5-stage FPU with 2.0 MFLOPS/MHz (SP/DP); hardware support for IEEE 754; single-precision and

double-precision operation with 32 64-bit Floating-point registers

On-chip IPSec/SSL acceleration (optional)

NAND Flash controller Supports one to four banks of NAND Flash Memory devices; direct

interfacing to discrete NAND Flash devices (Up to four devices) and Smart Media Card socket (22-

pins); 4-Mbyte - 256-Mbyte devices sizes supported; 512-byte +16-byte or 2-Kbyte

+64-byte device page sizes supported; DMA support allows direct, no Processor-intervention block

copy from NAND Flash out to SDRAM; Boot-from-NAND supported

On-chip double data rate 2 (DDR2) SDRAM controller with 32/64-bit Interface, 2.6-Gbyte/s- peak

data rate and optional ECC

Support for two banks DDR2 SDRAM memory of up to 1 Gbyte each, Maximum capacity of 2 Gbytes Support for 256, 512-Mbit and 1-Gbyte DDR2 devices, with CAS Latencies of 2 or 3

32-bit PCI V2.2, 3.3-V interface supporting frequencies of up to 66 MHz

USB 2.0 device controller, USB 2.0 Host controller and one on-chip USB 2.0 PHY. A second USB

PHY can be attached off-chip via a UTMI Interface.

(2) Ethernet 10/100/1000-Mbit/s, full-duplex MACs supporting GMII/ MII, TBI, RTBI, RGMII, SMII

interfaces. Memory access layer (MAL) Provides DMA capability to both Ethernet channels

Up to 83-MHz, 30-bit address bus, 32-bit data bus external bus control (EBC) interface

Support forup to 6 ROM, RAM, or slave peripheral I/O devices

4-channel DMA support for external peripherals

External bus master controller for access to internal peripherals

Support for memory-to-memory, peripheral-to-memory, and Memory-to-peripheral transfers

Scatter/gather capability


11/17


Up to four UARTs (1x 8-pin, or 2x 4-pin, or 4x 2-pin, or 1x4-pin and 2x2-pin)

Two IIC (with one integrated boot strap controller)

One SPI serial interface 4-channel DMAavailable for internal and External use

Programmable interrupt controller with 10 external inputs, 54 internalInputs

Programmable timers

Fig 8.3 AMCC 440EPx security enabled processor


12/17


The PowerPC 440 Core

To enhance overall throughput, the PowerPC 440 super scalar core incorporates a 7-stage pipeline

and executes up to two instructions per cycle. Its large 32-Kbyte data cache and 32-Kbyte

Instruction cache are 64-way set-associative. Versatile configurations enhance performance

tuning while optional parity protection preserves data integrity. For additional system performance,

the PowerPC 440 core includes dynamic branch prediction and 24 multiply accumulate instructions

(MAC) that can be used for signal processing or other numerical tasks, as well as non-blocking caches that

can be managed in either write-through or write-back mode.

High Performance FPU

In addition to its powerful 440 core, the PowerPC 440EPx includes a high-performance FPU. This

super scalar FPU supports both single and double precision operations, and offers single cycle

throughput on most instructions. The result is exceptional performance in imaging and other

calculation intensive applications.

Security (Optional)

On-chip IPsec/SSL Security acceleration engine supporting DES, 3DES, AES, ARC-4 encryption,

MD-5, SHA-1 hashing, HMAC encrypt-hash and hash-decrypt and Kasumi. Also supports public key

acceleration for RSA, DSA and Diffie-Hellman, and an on-chip true random number generator.

High-Speed Bus Architecture

Offering a peak bandwidth of 5.3 Gbytes/s and separate read and write data buses the PowerPC

440EPxs processor local bus (PLB) provides a high bandwidth connection between the processor

core and memory controller. Less demanding I/O devices are served by two 32-bit on-chip

peripheral buses (OPB).

Extensive Memory Support

An on-chip double data rate 2 (DDR2) SDRAM controller provides a 32/64-bit memory interface

with optional error checking and correcting (ECC) and a 2.6-Gbyte/s peak data rate. It supports twomemory banks of up to 1 Gbyte each, for a maximum capacity of 2 Gbytes. An integrated

NAND Flash controller allows up to four banks of Flash memory devices to be connected to the

processors external peripheral bus. The Flash controller supports device densities up to 512

Mbytes, an optional SmartMedia card interface. Theses devices can be accessed much like diskette

drives, with available boot capability.


13/17


On-Chip Memory

The PowerPC 440EPx offers 16 Kbytes of on-chip memory.

PCI Interface

The PowerPC 440EPx offers a 32-bit PCI V2.2 interface and supports frequencies of up to 66

MHz. Multiple read prefetch and write post buffers enhance throughput, while the ability to boot the

processor from PCI bus memory increases functionality.

Dual Ethernet Ports

For extensive connectivity options, the 440EPx offers two integrated 10/100/1000 Ethernet ports

with Jumbo Frame support. Supports GMII/MII, TBI,RTBI, RGMII, and SMII interfaces.

USB Interface

The 440EPx includes USB 2.0 host and device controllers and a single on-chip USB 2.0 PHY on

chip. A second USB 2.0 PHY can be attached externally via a UTMI interface.

External Bus Interface

To accommodate connectivity with other devices, the PowerPC 440EPx offers a 32-bit bus supporting

up to six ROM, RAM or slave peripheral I/O devices and speeds up to 83 MHz. 4-Channel DMA and

external bus mastering and also supported.

Standard Peripherals

The PowerPC 440EPx offers support for up to 64 general-purpose I/O (GPIO) and two IIC controllers.

A serial peripheral interface (SPI), also referred to as a serial communications port (SCP), allows

fullduplex, synchronous data exchanges with other serial devices. The 440EPx also supports up to four

UARTs in a variety of configurations. A JTAG interface is provided for debugging purposes.


14/17


8.2 Throughput of secure embedded processors

The throughput of the processor increases due to the implementation of the security engine. This can

be verified by the stimulation based performance of the processors .The processors on which this

security engine has been implemented is AMCCs Power PC 440EPx and 440GRx

The Turbo Security Engine gives the PowerPC 440EPx and 440GRx processors a significant

Performance boost over other security-enabled processors available. For IPSec and SRTP packets, the

simulation based performance numbers for the full-offload Turbo Security Engine are 472Mbps (3DES,

SHA1, 350-byte packets) and 485Mpbs (AES, SHA-1350-byte packets), while freeing the 440EPx and

440GRx processors for running real time applications. SSL/TLS packets throughput for the Turbo

Security Engine are 300Mbps (3DES, SHA1, 350-byte packets) and 400Mbps (AES, SHA-1350-byte

packets).

The below shown graphs represent the throughput of the processors for different protocols such as

IPSec, SRTP, SSL/TLS. X-axis represents the number of bytes in the packet and the Y-axis represent

the output per second in Mb.

Fig 8.1 Throughput of the processor for IPSec and SRTP


15/17


Fig 8.2 Throughput for SSL/TLS protocols

Both processors include a Core Connect Processor Local Bus operating at up to

166MHz (128-bit PLB) with separate read and write data paths, a 64-bit DDR SDRAM controller

with ECS protection, a 32-bit PCI Interface, two on-chip 10/100/1000 Mbit/s Ethernet MACs with

packet reject inputs, four UARTs, one Serial Communications Port, two IIC units, a NAND-Flash

controller, General Purpose I/Os, and a programmable interrupt controller. Ideal for protecting

network applications, the 440GRx processor delivers speeds of up to 667MHz and executes up to two

instructions per cycle. With the addition of Floating Point Unit and USB 2.0 Host/Device

functionality and with speeds of up to 667MHz, the PowerPC 440EPx is an optimal solution for

printing/imaging wireless access, industrial and many consumer applications.


16/17


CHAPTER 9. CONCLUSION

Sensitive materials can be generated and stored in the chip so that it is not exposed to secure

embedded processors can be implemented in the network routers and switches, which demand high

security. Since the security functions are mainly implemented by the hardware structure it cannot be

easily tampered. The performance boost provided by the security engine makes the processor suitable

for Real Time Processing, Printing and imaging, wirless access, industry and many consumer

applications threat and data is confidential to the system. The security engine has been implemented

in two AMCCs processor, 440GRx, and 440EPx. By integrating the security processing functions

into the embedded processor, the communications equipment vendor will realize lower costs, high

performance and stronger security than was possible with many standalone security-processing

solutions.

The main shortcoming of the secure embedded processors is that

new security algorithms cannot be implemented without affecting the hardware structure and it will

be costly. Although some security solutions may provide adequate protection, the best available

solutions are single-chip, security-enabled processors like AMCCs PowerPC 440GPx. In todays

world, protecting data of all types across various network environments is no longer just an option,

its a must. An integrated chip offers the optimum package combining increased performance andsecurity.


17/17


Documents

Secure Embedded Processors