hardware: specifically cryptographic algorithms. The report is ..... as sensitive as one's credit card, bank account, or social security numbers. Additionally a.
� � � � %LRPHWULF�$XWKHQWLFDWLRQ�DQG�6HFXUH�3URFHVVLQJ� LQ�1HWZRUNHG�(PEHGGHG�6\VWHPV�
A Report for EE 686: Embedded Computer Security Michael Grant, Ganesh Pai Department of Electrical and Computer Engineering University of Virginia, Charlottesville, 22903 {msg5c, gjp5j}@virginia.edu
Abstract Networked and mobile embedded computing devices like personal digital assistants, and handheld computers are the new face of intelligent computing. These have made information retrieval and delivery effortless. The security of information stored or accessed via such networked devices should be an important consideration, given their ubiquitous nature in today’s society. This pervasive computing architecture should be designed so that entities in the network do not get access to unauthorized information. Therefore we need to renew our concern for the security of networked embedded devices, and develop architectures so that security is inherent. In this project we survey potential solutions to the problem of authenticating users to embedded computing devices using biometrics. Biometrics can be used to significantly increase the security of the information stored in such electronic devices. This report provides a general overview of biometric techniques currently in use. We also investigate the use of reconfigurable logic as a convenient and energy efficient means to provide both security and performance on these embedded platforms as compared to corresponding software solutions.
-1-
1
Introduction
An increasing number of business executives, teachers, engineers, and other professionals are purchasing embedded computing devices such as personal digital assistants (PDA’s), electronic organizers, and cellular phones both for professional and personal use. Inevitably, many store their passwords, credit card numbers, bank account numbers, personal identification numbers (PINs), and other personal information on these devices for easy access. Unfortunately, a lost or stolen PDA makes the owner extremely vulnerable to identity theft, theft of financial assets, and other crimes. The loss or theft of a business executive’s PDA may expose an entire company to theft, fraud, or loss of sales revenue. Therefore it is important to design embedded computing systems that are secure both in stand-alone and networked modes.
Together with reconfigurable computing hardware, security protocols that use biometric data can be implemented in energy efficient ways in these embedded computing environments. In this report we present a general overview of biometric security schemes, and give a possible implementation of a fingerprint based authentication mechanism with an embedded computing device. We also survey techniques for implementing essentials of security in reconfigurable hardware: specifically cryptographic algorithms.
The report is organized as follows: Section 2 gives a general description of biometrics and the types of biometric features used in security systems. Section 3 describes the current use of biometric systems, and we present possible guidelines for future use of biometrics. In section 4, we present hardware implementations and general security protocols involving biometrics in embedded computing devices. Section 5 deals with flexible or reconfigurable architectures that may be used in embedded environments. We also describe architectural considerations in using configurable hardware. Section 6 describes how caches can be reconfigured to provide additional functional units, and how this architecture is suited to cryptographic algorithms. We present the architecture of such a reconfigurable cache and explain why reconfigurable hardware can provide energy efficiency. We conclude in Section 7.
-2-
2
A Primer in Biometrics
In this section we provide a general overview of various types of biometrics in use today, along with basic terminology. Webster's dictionary defines “biometrics” in terms of “biometry” which is simply "the statistical analysis of biological observations and phenomena" [1]. We generally tend to view the storage of biometric data in terms of a fingerprint image, a voiceprint recording, or some other replica of a physical feature. In fact, most biometric systems today do not store such replicas, but only a set of measurements or a code derived from the raw biometric data itself [2]. This code is referred to as a “template.” Thus a fingerprint matching system, for example, is used to scan a person's fingerprint, extract minutia points from the print, and store these points as the fingerprint template. Notable exceptions to this would be the United States Federal Bureau of Investigation and other law enforcement agencies, which often store images of the entire fingerprint [3].
Besides fingerprint scanning there are systems in use or in development today that make use of voice patterns, iris scans, retinal scans, face recognition, hand geometry, and even dynamic feature biometrics such as gait (how a person walks) and lip movement when a person speaks a particular word. Some systems make use of a combination of two or more biometrics. In all of these systems there are three fundamental aspects to their use. Fig. 1 shows these as:
An initial scanning and "enrollment phase" where the biometric is initially taken and the features of the biometric are extracted to produce a template.
The secure storage of the template in a device, an institution, or other secure entity for later authentication.
A re-scanning of the biometric and subsequent reproduction of the template when users authenticate themselves to the secure entity with which the biometric is enrolled.
Most systems use the biometric template for authentication as opposed to identification. To be authenticated a user will first enter a system username, and then submit a biometric template to allow the system to compare the new template to the stored template.
-3-
Feature Extraction/Initial Template Production
Biometric Reader
(Enrollment Phase)
Subsequent Template Extraction for Authentication
Secure Template Storage
(Authentication Phase)
Template Matching
USER No Yes
Fig. 1: Template Enrollment and Use in Authorization
This is a less demanding task than searching a large database to match a template to identify an unknown user. Another key aspect common to all biometric systems is access error caused by misreading of the biometric itself. Things such as cuts or injury, which alter a person’s fingerprint or hand geometry, may cause misreading. Similarly, lighting changes can degrade the performance of face recognition systems. Such errors in authentication are of two types i.e. falseacceptance or accepting an unauthorized user, and false-rejection or refusing to accept an authorized user [4]. All biometric systems exhibit these errors to a greater or lesser degree, and thus systems are generally characterized by the false-acceptance rate (FAR) and the falserejection rate (FRR). Clearly there is a tradeoff between a highly accurate system, that almost always admits only authorized users (its FAR is low and its FRR is high), and a less accurate
-4-
system that may wrongly admit a larger number of unauthorized users (its FAR is high but its FRR is low).
Highly classified areas in military installations, for example, would accept a high FRR to ensure that only authorized users gain access to facilities. Bank customers using ATM machines on the other hand, would find a high FRR unacceptable. Managers of biometric systems must assess their security needs, user demands, and so on, to find the right balance of security (low FAR) and convenience (low FRR). Next we discuss the major types of biometric systems and where they are in use. Later, we will focus on a generalized fingerprint recognition scheme implemented in a mobile computing device such as a PDA or cell phone to enhance the device security.
2.1
Major Types Of Biometric Systems
In this section we briefly discuss some of the major biometric systems and examine their strengths and weakness. References [4, 7, 8, 9] provide a more in-depth review of these systems. Although most of the biometric recognition techniques addressed here currently require too much hardware and computational power to implement in today’s embedded computing devices, we believe that most of these technologies will be "scalable" for use in smaller devices in the foreseeable future, and thus warrant discussion.
2.1.1
Face Recognition
Face recognition technology is a relatively new form of biometric technology. It has only been available in the commercial world since the mid-1990s [4]. One weakness in this technology is that even the most accurate face recognition algorithms are sensitive to illumination changes. This could result in an ATM customer being recognized and authenticated during the daylight hours, but falsely rejected at night under poor lighting conditions. Scans can also be affected by the quality of the video camera being used. The angle of the face being scanned can also adversely affect performance. For one system discussed in the literature, the system will fail if the face being scanned is turned more than 45 degrees from the camera. These systems must also deal with the fact that people’s faces generally change with age or even emotional state.
-5-
The strength of face recognition systems is that most people view these systems as less invasive than many other biometric methods. An advantage for law enforcement agencies (and perhaps a danger to citizens’ privacy rights) is that a face recognition system can be used covertly, since the person being scanned does not have to actively participate in the scanning; unlike fingerprint or retinal scanning. Face recognition systems were used at the 2000 Olympics for surveillance.
2.1.2
Fingerprint Recognition
This is the oldest biometric method for establishing identity and has been in use for about 100 years [3]. Both manual and automated fingerprint systems in use today are based on the fingerprint characterization studies performed by Sir F. Galton, and the classification method developed by E.R. Henry [3]. In the systems studied, fingerprint-based biometric systems are generally used to augment or replace password-based security schemes.
A number of companies are producing low-cost readers, and some readers have already been incorporated in notebook computers to authenticate users at startup. As with many biometric methods, the errors in fingerprint systems can vary widely in type and frequency. Finger pressure, position, surface oils, and dryness among other factors can affect the scanned images of fingerprints. Testing of some systems has revealed that false-rejections are a significant problem, and that errors due to poor quality images ranged from 0.5 to 37 percent [4].
Another problem with this biometric technology is lack of complete uniqueness between people. Roughly five percent of people have fingerprints that cannot be recorded because they are obscured by a cut or a scar or are too fine to show up well in a photograph. [8] However, in spite of these weaknesses, it appears that fingerprint recognition is becoming one of the most widely used forms of biometric-based authentication due to the relative ease of use and low-cost of available systems and hardware.
Fingerprint recognition seems likely to become the dominant type of biometric authentication for embedded computing devices in the foreseeable future. We will therefore focus on this biometric technology in our section on hardware implementation.
-6-
2.1.3
Voice Recognition
This technology does not appear to be as popular as some other biometric technologies. However a related technology, speech recognition, is already in use at companies like Sprint where it is used to replace number entry. [4] Intuitively it seems that voice recognition biometrics could become more widespread for authenticating users to their personal computing devices. This is simply because so many PDA’s and portable PC’s have built-in microphones and audio signal processing features.
By their very nature cell phones could naturally incorporate voice recognition hardware for authentication. It is also possible that cell phone networks could provide service protection using voice recognition technology at central locations to protect standard cell phones that do not have embedded biometric capability. A customer’s voice could be authenticated near the beginning of each call and perhaps at regular intervals. If the voiceprint did not match the customer’s print (or the voice prints of others who were authorized to use the phone), the call could be quickly terminated by the company, perhaps saving the customer the cost of a sizable phone bill.
A chief disadvantage of this technology is the changing nature of the biometric. People’s voices are affected by head colds, age, and emotional state. Additionally, authenticating oneself to a cell phone or to a PDA with this technology could be problematic in noisy environments like airports, restaurants, and hotel lobbies.
2.1.4
Iris Scanning
This biometric technique is a more discriminating method than fingerprint or face recognition [7], and from our research appears to be the most robust method of biometric authentication in use today. Its advantages are numerous: the iris, the colored portion of the eye surrounding the pupil, is unique to every person. This type of biometric scan is termed data-rich because of this uniqueness. In fact, even the iris patterns in two eyes of the same individual are different. Additionally, this biometric is stable with time, unlike other biometrics.
-7-
One system designed by a company in the United Kingdom transforms an iris scan into a code based on Gabor wavelets, which optimizes the resolution in both the spatial and the frequency domain [7]. The fully automated version of the system is designed for use at bank ATM’s. No real cooperation on the part of the user is required except that the user stand within 15 to 30 inches of the scanner. The processing time is relatively fast at approximately 2.5 seconds, and this system even works if the customer is wearing glasses or contact lenses. Because the technique is so reliable, the combined error rate in this system for both false-rejects and falseaccepts was approximately 1 in 1.2 million. The field tests conducted showed a high user acceptance rate, and users preferred this system to PINs.
A personal-use version of this iris-scanning system is less expensive than its ATM counterpart but requires more cooperation by the user, in addition to using what we believe is a less secure authentication procedure. This particular system, as described, does not explicitly include encryption of the template prior to transfer to the central authentication server. In our view, this is an example of the prime pitfall of biometric technology i.e. the transfer of the biometric template over networks. Although this system compresses the iris scan prior to transmission, and then extracts it at the central server prior to comparison, the system appears to be open to network sniffing and replay attacks. More on the general issue of biometric template storage and transfer will be presented in our section on hardware implementation.
The iris scan biometric technique is one of the most accurate but is also one of the most expensive. This technology will likely continue to be used primarily at banks, military installations, and other facilities where an unusually high degree of security is warranted
2.1.5
BioID: A Multimodal Biometric Identification System
Lastly in this overview of biometric technologies, we mention a system called BioID [8] that combines face, voice, and lip movement recognition (a dynamic feature) to provide more security than a single-mode biometric identification system. As mentioned, some people have fingerprints too shallow or scared to be usable, and identical twins often have faces so similar that today’s face recognition systems cannot tell them apart. This non-uniqueness in some
-8-
biometrics suggests the need for a system that authenticates the user via multiple biometric measures. The BioID system is accurate and is customizable in the sense that, based on previous successful authentications, more weight can be given to the most accurate of the three biometrics for a given user. This system is presently implemented with a desktop PC and other hardware and is too big for current PDAs and laptops. However we believe the principle of multimode biometric recognition is sound, and that similar systems employing a combination of biometrics can be implemented in embedded computing devices.
3
Current Biometric Use and Guidelines for Future Use
In this section we discuss the current use of biometrics at government agencies, and the general use of biometric systems to replace current password/PIN-based schemes or card-based authentication methods. We highlight some of the legal and privacy issues raised by the use of biometrics in either small-embedded devices or in larger computing devices. We also offer general recommendations for when and how to use this technology.
3.1
Current Biometric Use at Government Agencies
Most U.S. government agencies today are being asked to “do more with less.” As a result several government agencies have responded by incorporating biometric systems to help administer welfare and food stamp programs, and to reduce fraud while increasing efficiency. Cities in New York, New Jersey, and Connecticut even coordinate the exchange of fingerprint data although the federal government does not directly mandate this interoperability [9]. At present, there are no other multi-state government agencies outside of law enforcement that routinely exchange biometric data.
The Immigration and Naturalization Service (INS) uses biometric systems more than any other government agency [9]. Frequent international travelers to the U.S. may now use a system based on hand geometry for faster passage through customs. This program is voluntary and is offered as a convenience to the traveler.
-9-
3.2
Vulnerabilities and Recommendations for Biometric Use
It has been asserted that many people, including lawmakers, often react negatively to biometric authentication techniques because they are intrusive [9]. In our view, and based on particular concerns expressed by various citizen groups [9], there are two prime concerns related to the use of biometrics. These are the loss of personal information that can result in identity theft, fraud, bank account theft, etc., and the use of biometric data by authorities to covertly track personal movement, thereby encroaching on personal freedom. Both of these are in essence a concern about the invasion of the biometric owner’s privacy.
We would recommend that at a minimum, policies be established by companies to safeguard the personal biometric information of customers and employees. To that end, the International Biometric Industry Association, a Washington, DC-based trade organization, was established to set up standards for personal privacy protection in regard to biometric usage. We would further recommend that appropriate State and Federal laws be enacted to discourage (and punish as a result of) the selling and the misuse of biometric information by private firms or government agencies, particularly to address information theft and personal tracking by authorities. Laws prohibiting the sale of biometric data by companies are needed since this information is at least as sensitive as one’s credit card, bank account, or social security numbers. Additionally a customer or system user should be able to choose the type of biometric they wish to enroll with a company or agency. A person may not mind their fingerprints being in a database, but may not wish to have their face, gait, lip movement, or other personal features catalogued.
One point we would make however, is that given our present networked commerce systems, based on the possession of credit cards, IDs, PINs, etc., consumers and system users are already quite vulnerable to identity theft, fraud, financial theft and, to some degree, personal tracking. Knowledgeable thieves can already access databases of credit card numbers, even if our wallets or purses are not stolen outright. And governmental authorities can already track our movements to some extent via ATM accesses and cell phone calls, for example, if not by direct surveillance. We submit that if biometrics can be used to strengthen current weaknesses in our computing and commerce systems without further loss of individual privacy, then they should be used. From our
- 10 -
research it appears that the use of biometrics for safeguarding personal computing devices, including PDA’s, cell phones, and notebook computers, is perhaps the best application for biometric security techniques. This is an application where the biometric template owner retains control of their personal biometric information.
Wherever possible, companies or agencies that institute biometric-based systems should allow their use to be voluntary; offering less secure PINs or customer numbers to users who do not wish to enroll a biometric. Further, persons should be allowed to supply their own biometric template via tamper-resistance/tamper-evident smart cards (probably certified by a trusted third party) for authentications. In this way the owner of the biometric again retains control of their biometric data. We conclude that one cannot know all of the ways in which our biometric data may one day be used to track personal activity or otherwise encroach upon our rights as citizens. It is therefore prudent to err on the side of caution. In short, the benefits of adopting any biometric-based system must be assessed in light of the potential loss of personal information or the limiting of individual freedoms.
4
Hardware Implementation and General Security Protocols
In this section we discuss general aspects of security related to the use of biometric authentication with embedded computing devices. We then focus on authentication methods in a conceptual PDA-type device, which incorporates a fingerprint biometric.
4.1
General Safeguarding of the Biometric Template
First, we make a distinction in this paper between “common” or less-sophisticated thieves, network intruders, and professional intruders who will stop at nothing to steal an identity or break into a secure system. It is evident that no system can be made completely secure. However, we submit that biometric-based authentication methods can be developed to provide better security for handheld, embedded computing devices than is presently the case with PIN or password-based procedures.
- 11 -
Business executives, system administrators, and others should be able to use their PDA to store and conveniently access passwords and personal information without undo fear of compromise. A simple fingerprint-based biometric authentication can be used to better secure today’s devices in cases of loss or theft by the common thief since (in theory) no one but the owner can use a particular device. Some benefits of a biometric over a password are that the biometric cannot generally be lost, forgotten, or written down. However as pointed out by Klosterman and Ganger [10], biometric information cannot be called a secret since some biometric information can be easily obtained. A person’s picture taken from a website, for example, might fool a face recognition system.
Clearly some biometrics are much harder to obtain than others, and though a fingerprint can be stolen from a person, this would be difficult for the common street thief who just wants to sell a stolen device. An iris or retinal scan would be harder still to directly obtain from an unwilling individual. In the case of forged or stolen fingerprints, there is at least one company that maintains its fingerprint readers can distinguish a live finger from a dead finger, a mold, a paper version of the print, and so on (Fig.2) [12].
Fig. 2: BioFirst Fingerprint
As with any networked system, a network-based biometric system is subject to the usual attacks, which can include biometric template sniffing and replay. These can be mitigated by encryption and the use of nonces as is done with other existing secure message passing protocols. Therefore we see little advantage for the user in adopting systems that require a biometric template be passed over a network in lieu of any other shared secret. However, the use of a biometric to authenticate a user to his or her own mobile computing device does seem to be a safe and useful application of this technology. - 12 -
In the area of networked biometric systems, there is at least one company [13] that produces a dedicated fingerprint server (fig. 3) to authenticate remote users over a network. The system reads the user’s fingerprint at logon, extracts the template which is the set of minutia points, and then transmits the template to the server for matching with the previously enrolled template. Note that the minutia points cannot be used to actually reconstruct the image of a fingerprint. This fact does help secure the raw biometric data, if not the template itself. Additionally, the company safeguards the template by randomly altering the stored template values (probably with a nonce and a hashing process), so that even if the template is sniffed in transit by an attacker it cannot be used on subsequent logins.
For this process to work, we suppose that there must be some kind of code or nonce passed to the remote during a login session that allows the template to be appropriately processed for subsequent logins.
Fig. 3: BioLink Fingerprint Authentication Server
This code or nonce is of course a shared secret and, again, we see no advantage to the user with this method over similar non-biometric schemes except that authentication to the remote terminal
- 13 -
does not require a password. The primary benefit seems to be to the company, which does not have to rely on the user to safeguard passwords or PINs.
4.2
An Implementation of Fingerprint-Based Biometric Authentication
We propose the conceptual design of a mobile (embedded) computing device like a PDA, cell phone, or laptop PC that allows the user to safeguard the device using a fingerprint biometric. The basic components of the design are shown in Fig. 4. The device would use a small fingerprint reader like the Atmel Fingerchip (Fig.5), which uses a swiping action to acquire the fingerprint image. A smart card securely stores the enrolled template, and a smart card reader would be used to match the enrolled template to the newly acquired template during logon authentication.1
A reconfigurable (or dedicated) hardware module acts as the device gatekeeper by providing computational functions for both authentication and encryption.
Fig. 4: A Biometrically Secured Mobile Computing Device
Of course, biometric authentication systems may be attacked not only via networks, but also by simply bypassing the sensor and feeding data directly to the reader or template processor. Reference [10] provides a good discussion on this type of attack. This can be made more 1
After our conceptual device design for this paper was completed, we actually located a company called Identix [14], which produces a combination smart card and fingerprint reader that could be used in this type of device.
- 14 -
difficult by using tamper-resistance packaging and by including power interruption circuitry as part of the reconfigurable computing hardware module. If the device case were breeched, the circuitry would prevent it from being powered up.
Fig. 5: Atmel “Fingerchip” Fingerprint Reader
To thwart an attack at the device operating system level (e.g. using a debugger to simply dump memory as has been done with the Palm Pilot), the power-interruption circuitry would not allow device boot up without a fingerprint match.
Once the user is authenticated, secure communication software could require a second print match to obtain access to a lockbox of keys for either symmetric or public-private key pair message encryption. In this way the user maintains control of the biometric template, and secure communication is setup without having to transmit any biometric information. Other variations are possible such as only requiring a PIN to gain access to the key lockbox once the user has been authenticated to the device. Another possibility is multi-mode biometric authentication using combinations of fingerprints, voiceprints, and so on. For power and packaging considerations, one could eliminate the smart card element and simply use the mobile device itself for template storage. This would reduce hardware size, weight, and power, but may make the biometric template more vulnerable.
With any of these options, the device battery life could be extended by powering down the reconfigurable hardware after authentication, and whenever encryption functions were not needed. In the next section, we provide further detail on the implementation of cryptographic functionality in a mobile computing device using reconfigurable hardware.
- 15 -
5
A Flexible Hardware Architecture
Most security protocols usually rely on strong cryptography, and these cryptographic algorithms can be implemented either in software or in hardware. In this section, we describe different hardware methodologies for implementation of cryptographic algorithms in an embedded environment and we specifically focus on techniques employing flexible or reconfigurable hardware.
Hardware implementations of encryption algorithms in reconfigurable logic have several advantages over the software counterparts, including speed of encryption (measured in Mbps). However, it is interesting to note that the speed of encryption algorithms implemented in software depends on different parameters, such as the underlying architecture of the processor running the software version of the algorithm. A software implementation of the CAST-256 algorithm, on a Pentium Pro PC running at 200 MHz achieved a data rate of 40.4 Mbps, while a hardware implementation using FPGAs achieved a throughput of 11.03 Mbps [CBT99, 18]. This is because of the nature of the algorithm and the fact that clock rates on FPGAs are comparatively slower as compared to general-purpose processors. Conceivably, with faster processors such as the Itanium, software implementations of encryption algorithms will be faster than the fastest FPGA implementation [22].
Yet, most cryptographic algorithms function more efficiently when implemented in hardware than in software. Reconfigurable or customized hardware can exploit bit-level parallelism and ILP, inherent in most cryptographic algorithms, which may not be accessible to general-purpose processors. [27] Besides this, reconfigurable hardware has the added advantage of dynamic cryptographic algorithm agility. This is especially desirable because of the algorithmindependent design of modern security protocols such as SET or IPSEC [26]. Further, algorithm agility is not possible on ASIC implementations of cryptographic algorithms or cryptographic co-processors that are tuned for a particular encryption or decryption algorithm. Besides algorithm agility [21] also point out algorithm upload, and algorithm modification as potential advantages of implementing cryptographic algorithms in reconfigurable logic. Clearly, it is easier to change or upload an algorithm, should the need arise, if the hardware implementation is
- 16 -
reconfigurable, as opposed to application-specific implementations. Moreover, the configurable nature of the hardware allows customization to specific algorithm parameters on the fly. (Such as multiplication with a constant, as is frequently encountered in many cryptographic algorithms). This often makes the implementation more architecture efficient
Reconfigurable hardware also represents a tradeoff between customization, flexibility and cost, and this is another desirable property in networked embedded (and possibly mobile) computing environments. Finally, reconfigurable hardware offers all the capabilities of conventional hardware with additional opportunities for optimization.
5.1
Architecture Considerations for Implementing Cryptographic Algorithms
We notice that all of the encryption algorithms use a combination of the following core operations: bit-wise XOR, modulo-2n addition, subtraction or multiplication (where n is usually a multiple of 8), fixed shift, variable rotation, substitution box (or S-Box) and Galois-field GF (2n) operations. Public-key algorithms in particular rely heavily on modular multiplication of large operands. Most conventional cryptographic algorithms have a basic iterative Feistel structure i.e. a substitution-permutation network, and data that needs to be encrypted or decrypted is iteratively passed through a round function.
In all of these operations, data dependencies in the function allow multiple units to operate in parallel. Moreover, these basic operations can be combined into a single specialized operation that achieves encryption or decryption. The input values to the cryptographic algorithms are usually keys that are reused. All of these applications can be exploited by reconfigurable hardware and can provide significant performance benefits.
The modular addition, bit-wise XOR, modular addition and subtraction, fixed value shifting and variable rotations are fast operations that can be implemented in FPGAs, using very simple hardware elements. The galois-field operation is multiplication with a constant, which can also be efficiently implemented in FPGAs. The most time-consuming operation is modular multiplication that requires significant hardware resources. Reconfigurable hardware can be
- 17 -
tuned to the cryptographic algorithm by dynamic matching of application parallelism with an equal amount of functional units needed [27]. Pipelining the units allows the hardware to exploit bit-level and instruction level parallelism in the algorithm and can significantly speed up computation. The basic architecture options that are frequently encountered in hardware implementation of encryption and decryption algorithms are loop unrolling, where multiple rounds of an encryption algorithm are unrolled; iterative looping (a special case of loop unrolling, where only one round is unrolled), partial pipelining and partial pipelining with subpipelining [21]
Iterative looping proves to be a hardware saving operation, particularly in ciphers that iterate over multiple rounds to encrypt (or decrypt) data. Look-up tables (LUTs), organized as banks of LUTs, in the configurable logic blocks can be used to store round keys, required in an n-round cipher. A loop unrolling architecture is generally implemented in a single combinatorial unit, so that cycle time required to perform an encryption or decryption operation is maximized, and all rounds are unrolled. However, this leads to a slow system clock, because it also maximizes worst-case register-to-register delay. Pipelining permits the hardware to operate on more than one block of data at a time, so that one block of plain text is processed every cycle, once the pipeline latency is met. The pipeline comprises replicated round function hardware and intermediate registers that store the result of the computation of the preceding round function unit. This type of pipelined operation is usually referred to as full pipelining in the literature. Fig. 6 illustrates a typical execution pipeline.
Generally full pipelining requires a larger amount of resources as compared to a loop unrolling architecture. Therefore, most the implementations in FPGAs use partial pipelining. Subpipelining of this partial pipeline refers to sub-division of each pipeline stage into smaller atomic blocks in-order to reduce the pipeline delay between stages. This has two implications: more blocks of data can be operated upon simultaneously, but at the same time, each encryption operation will take a larger number of clock cycles to complete. It is also clear to see from Fig. 6, why iterative looping is inefficient when it is pipelined. This is because each round requires its own LUTs for storing round keys and this would imply that each round would have one LUT with only one round key.
- 18 -
Fig.6: Full pipelining of execution units.
Implementation and simulation results in [21] indicate that partial pipelining with sub-pipelines usually provides performance improvement in the baseline implementation, of AES candidate ciphers. A detailed architectural description of FPGA implementations of symmetric cryptographic algorithms such as the data encryption standard (DES) and advanced encryption standard (AES), and public-key algorithms such as those based on elliptic curve cryptography is provided in [21, 20, 23, 26].
[27] introduces a novel reconfigurable architecture known as PipeRench, which permits implementation of cryptographic algorithms either entirely in a reconfigurable device or allows implementation of pieces of the algorithm in configurable hardware. PipeRench is a reconfigurable fabric that can either be integrated into the processor as a reconfigurable function unit (RFU) or as a system-on-chip so that the fabric closely coupled with the processor. PipeRench supports hardware virtualization. In essence, this permits configurations that are larger than the fabric to be executed, by dividing the application into pipeline stages and multiplexing these stages among the pipeline stages in the reconfigurable fabric (Fig.7). Each pipeline stage, referred to, as a stripe comprises N processing elements and each processing element, is in-turn made up of identically configured LUTs, registers and control logic. An interstripe interconnect is used to route values between the stripes. However, the current
- 19 -
implementation of PipeRench does not support lookups through large tables. Hardware virtualization and the reconfigurable fabric permit efficient implementations of time consuming operations like modular multiplication.
Fig. 7: Hardware virtualization in PipeRench [27]
[27, 21, and 23] all provide implementations of symmetric ciphers in reconfigurable fabric. The demand on hardware is significantly increased when implementing public-key algorithms like RSA. The idea behind RSA is modular exponentiation, which is performed in hardware by a square and multiply algorithm (and is usually very time consuming). An efficient technique that increases the speed of modular multiplication is Montgomery’s algorithm. A systolic array implementation in FPGAs for Montgomery modular exponentiation is proposed in [20]. The architecture implements a two dimensional array of configurable units interconnected via horizontal and vertical routing channels. A more detailed discussion is provided in [17].
5.2
Reconfigurable Cryptographic Co-Processor
In the previous section, we described the architectural considerations in implementing cryptographic algorithms in reconfigurable hardware. A reconfigurable cryptographic coprocessor may be built out of some additional units and FPGAs. [19] describes a cryptographic co-processor that operates on symmetric block ciphers. PipeRench, in a similar capacity permits operation on stream ciphers. In either case, reconfigurable hardware in the form of a tightly coupled or loosely coupled coprocessor is augmented with a main processor, to offload overhead - 20 -
incurred in encryption and decryption of data. Conceivably, the systolic array configuration may also be included to handle asymmetric-key ciphers.
(a)
(b) Fig 8: (a) Cryptographic Coprocessor system on an FPGA (b) Coprocessor Block Diagram [19]
Figures 8a and 8b show details of the cryptographic co-processor system and the block diagram of the co-processor respectively. An algorithm library in the form of non-volatile memory and a micro-controller provides cryptographic algorithms optimized for hardware, which can be used to dynamically reconfigure the coprocessor for encrypting/decrypting data. The desired algorithms are stored in the non-volatile memory, while the micro-controller is used to select the algorithm from the algorithm library and program the cryptographic coprocessor. The system controller arbitrates interactions between the coprocessor, the algorithm library and the host
- 21 -
processor. The coprocessor itself resides on an FPGA and once the system controller has programmed the coprocessor with the desired algorithm, it can process data. Depending on the configuration of the coprocessor, it could be configured to process a stream or blocks of data. [19] designs the coprocessor system to operate on blocks of data rather than streams. The coprocessor comprises a control unit and the algorithm core. Data registers are used to latch the input and output data blocks. The data registers could be replaced by buffers, for a stream-data implementation.
The control logic is responsible for interpreting and passing system control signals and control words to the algorithm core. The algorithm core contains algorithm specific logic i.e. it contains the logic needed for bit-wise XOR, modular addition, multiplication and subtraction, Galois field operations, etc. The algorithm core may also contain a finite state machine required for processing data. This combination of the control and algorithm core provides a standard interface between the algorithm and the system.
6
Reconfigurable Caches and Functional Units
Most microprocessors in embedded computing environments include on-chip caches, like their non-embedded counterparts. Often caches take up a large amount of the on-chip area and a large portion of this cache may not be used all the time. [25] presents a novel architecture with which on-chip caches can be reconfigured to behave as computational units. This idea fits very well within an embedded computational environment. Such a processor with a reconfigurable cache can dynamically configured to create functional units, when needed.
6.1
Architecture of the reconfigurable cache
The main idea behind this approach, is that most applications do not use the entire cache, and therefore, units of the cache that are not being utilized can easily be reconfigured to form functional units that can assist in computation. The approach uses multi-bit output look-up tables
- 22 -
(LUTs) instead of single output LUTs, since these are better suited for use both as a cache and as a functional unit. Fig. 9 shows a 2X2 or a 4X2 constant co-efficient multiplier.
Fig. 9: 2X2 or 4X2 constant co-efficient multiplier. [25]
A large multi-bit output LUT as shown in Fig. 9, may not be area efficient in many cases, and [25] show implementations of functional units using a number of smaller multi-bit output LUTs. Besides this, registers are also added so that the function units can be pipelined. The data caches are physically partitioned into n cache modules, of which some modules can be used as dedicated caches, while the other modules are reconfigurable. This reconfigurable module can be used as a cache, if it is determined that more cache is needed, or can be used as a compute unit, in applications that do not use more than the dedicated cache space.
Fig. 10: Processor organization with multiple reconfigurable cache modules. [25]
Fig. 10 shows how the cache modules, that are not being used, can be reconfigured into cryptographic units or FIR/FFT units. These units can also be used in processing of biometrics information, which is usually a compute intensive job. Some cache modules can be configured to function as data input or output units so that they may be accessed at the speed of the functional - 23 -
unit. This is especially beneficial in cryptographic applications, because data can be continuously accessed from the input/output unit and fed to the cryptographic core. The cache/function units are connected to the host processor by a reconfigurable multiple-bus network (RMB) to provide the high communication bandwidth that results because of interaction between the functional units and the host processor.
The cache is organized as a two-dimensional LUT matrix. The LUT is organized as a 16-entry table with the desired number of bits. The 4 least significant bits of the cache address line, selects an entry from the LUT in the cache mode, so that one word is selected in each LUT row according to these 4 bits. The LUT produces as many bits of output as its width. The remainder of the address bits is used to select the LUTs in the matrix so that any row of the LUT matrix can be read or written to as a global cache line. In the functional unit mode, the output of each LUT row is routed to become the input to the next row of LUTs, as in a pipeline.
The caches are configured as function units by writing the entries of the required LUTs into the cache. The configuration data to program the reconfigurable hardware may be present in an algorithm library as in [19] or in an off-chip memory. An advantage that arises out of having caches reconfigured as functional units is that functions that have many stages can be realized in hardware, because these stages can be created dynamically. In many other functions, stages are similar (such as DES or Triple DES) and only the data contained in the LUTs change but the essential interconnection between the units remains untouched. Since some of the cache can be used as a dedicated cache unit, all input data required can be placed in the cache and processed using the current configuration.
Then, the contents of the LUT can be changed to convert a stage in the cache block to behave as a different stage. Additional modules are necessary in this case to store the result of intermediate data. This particular set of operations resembles many of the operations found in cryptographic algorithms and in pipelines. Therefore, the cache units can be configured as cryptographic cores, which can be pipelined for high throughput. However, it is also important to note, that this approach adds about 10-20% of area overhead of the base cache memory area with a 1-2% increase in cache access times [25]
- 24 -
6.2
Energy Efficiency
Besides doubling up as functional units, the caches in the processor can be powered down when not in use or when not needed. This represents a trade-off between saving energy and performance. For example, an application may reconfigure portions of the cache to behave as a compute unit that will increase performance. On the other hand, it could also power down this unused portion of the cache so that there is an overall energy savings in the device. Energy efficiency is an important metric, because this is often measured in terms of energy delay products, which signifies the product of speed of processing and the corresponding power dissipated or utilized. We note that reducing power at the expense of computation time is not often desirable, and neither is the reverse. An efficient way to strike a balance is to operate the device so that a break-even point is reached where power dissipated is low and the computational time is also reduced. Reconfigurable logic permits energy efficiency because portions of the logic that are unused can be shut down. [24] provides a detailed description of an energy efficient implementation of reconfigurable cryptographic processors.
7
Conclusions and Future Work
In this report, we have described potential implementations of cryptographic hardware in reconfigurable logic. We have also described some possible biometric schemes that can be used for authentication on networked embedded computers. Public-key infrastructures are secure, but only to the extent that private keys of individuals are maintained secret. Usually this involves securing the private key(s) using a password, a PIN or a token. Biometrics alone do not provide a great deal of safety, but a combination of biometrics or a combination of biometrics, passwords or PINs and tokens provide a higher degree of security for embedded computing devices, than passwords or tokens alone. Further, biometrics should not be used as keys in encryption because they are not really secrets per se, but biometrics can secure keys with greater confidence and with a higher level of security as compared to other security mechanisms. An avenue for future work is investigating authentication of users in embedded or mobile computing networks using biometrics.
- 25 -
Clearly, if a biometric is stolen in transit then the system or the network is subject to replay attacks. Another area of future work would be extending the research in [25] and modeling, simulating, and benchmarking reconfigurable caches, which are reconfigured for cryptographic applications. Yet another area for future work is investigating the use of reconfigurable logic for biometric applications in particular. We know that voice recognition or fingerprint recognition technology uses FFT or FIR units, and therefore studying and designing functional units with reconfigurable logic tuned for biometric applications would be a significant and progressive step in securing embedded networked systems.
- 26 -
References [1]
Webster’s Ninth New Collegiate Dictionary, Merriam-Webster, Inc., Springfield, Massachusetts.
[2]
Peter G. Bianco, “The Future is Now”, Address Transcript, Vital Speeches, Vol.67 No.2, pp. 48, Nov 2000
[3]
U. Halichi, L.C.Jain, A. Erol, “Intelligent Biometric Techniques In Fingerprint And Face Recognition”, pp.1-34, CRC Press
[4]
P. J Phillips, A Martin, C.L. Wilson, M. Przybocki, “An Introduction To Evaluating Biometric Systems”, IEEE Computer Vol.33 No.2, February 2000,
[5]
Lin Hong, Yifei Wan, Anil Jain, “Fingerprint image enhancement: Algorithm and performance evaluation. IEEE Transactions on Pattern Analysis and Machine Intelligence, Vol. 20 No. 8 August 1998
[6]
Anil Jain, Lin Hong, Ruud Bolle, “On-line fingerprint verification”, IEEE Transactions on Pattern Analysis and Machine Intelligence, Vol. 19 No. 4, April 1997
[7]
Michael Negin, T A. Chmielewski et al, “An Iris Biometric System for Public and Personal Use”, IEEE Computer Vol.33 No.2, February, 2000, p.70
[8]
R. W. Frischholz, U. Dieckmann, “BioID: A Multimodal Biometric Identification System”, IEEE Computer Vol.33 No.2, February, 2000
[9]
James L Wayman, “Federal Biometric Technology Legislation”, IEEE Computer, Vol.33 No.2, February, 2000
[10]
A.J. Klosterman, G. Ganger, “Secure Continuous Biometric-Enhanced Authentication”, Technical Report, CMU, May 2000.
[11]
Ian Jermyn, Alain Mayer et al, and Aviel D. Rubin, “The Design and Analysis of Graphical Passwords.” http://www.usenix.org/events/sec99/full_papers/jermyn/jermyn_html/ camera3.html
[12]
BioFirst Corporation. http://www.gissi.com/biofirst/Products/BioSAS/biosas.asp, Accessed April 2001
[13]
Defensive Tools Corporation. http://www.planetit.com/techcenters/docs/security-defensive_tools/product_review/ PIT20001206S0006/2, Accessed April 2001
[14]
Identix Corp. http://www.identix.com/itsecurity/products/BioTouch.html, Accessed April 2001 - 27 -
[15]
S. Liu, M. Silvernman, “A Practical Guide to Biometric Security Technology”, IEEE IT Professional Vol.3 No.1, Jan/Feb 2001
[16]
A. Jain, R. Bolle, and S. Pankanti, “Biometrics, Personal Identification in Networked Society”, Kluwer Academic Publishers, July 1999.
[17]
T. Blum, C. Paar, “Montgomery Modular Exponentiation on Reconfigurable Hardware”, In Proceedings of 14th IEEE Symposium on Computer Arithmetic, April 1999.
[18]
B. Gladman, “Implementation Experience with AES candidate algorithms”, In Proceedings of Second AES Candidate Conferences (AES2), March 1999.
[19]
C. Paar, B. Chetwynd, T. Connor, et al., “An Algorithm-Agile Cryptographic Coprocessor based on FPGAs”, In SPIE’s Symposium on Voice, Video and Data Communications, September 1999.
[20]
A. J Elbrit, C. Paar, “Towards an FPGA Architecture Optimized for Public-Key Algorithms”, In SPIE’s Symposium on Voice, Video and Data Communications, September 1999.
[21]
A.J. Elbirt, W. Yip, C. Paar et al., "An FPGA implementation and performance evaluation of the AES block cipher candidate algorithm finalists," Third Advanced Encryption Standard (AES) Conference, 2000
[22]
“Intel Itanium Processor: High Performance on Security Algorithms (RSA Decryption Kernel)”, Intel White Paper, 1999. http://developer.intel.com/design/ia-64/ Accessed April 2001
[23]
J P Kaps, “High Speed FPGA Architectures for the Data Encryption Standard”, Master’s Thesis, Worcester Polytechnic Institute, May 1998.
[24]
J. R Goodman, “Energy Scalable Reconfigurable Cryptographic Hardware for Portable Applications”, PhD Thesis, MIT, August 2000.
[25]
H.S Kim, A. K. Somani, A. Tyagi, “A Reconfigurable Multi-function Computing Cache Architecture”, In Proceedings of FPGA 2000, February 2000.
[26]
M. C. Rosner, “Elliptic Curve Cryptosystems on Reconfigurable Hardware”, Master’s Thesis, Worcester Polytechnic Institute, May 1998.
[27]
R. Taylor, S. Goldstein, “A High-Performance Flexible Architecture for Cryptography”, In Proceedings of Workshop on Cryptographic Hardware and Embedded Systems (CHES), $XJXVW 1999.
- 28 -
