Document Sample
Encrypt Powered By Docstoc
					       Implementing Crypto Microprocessor using Rijndael

                               Abdel-Karim R. Al Tamimi
                       Computer Science and Engineering Department
                           Washington University in St. Louis
                                   St. Louis, Missouri

                Abstract                         unreasonably dangerous [1]. What is
                                                 proposed in this paper is a way to transfer
This work presents a microprocessor for          data/programs through sensor networks
executing programs which have been               without sacrificing data security. The main
enciphered.      Such       a      crypto-       idea is to develop a microprocessor that can
microprocessor deciphers the enciphered          execute encrypted instruction gradually as
program piecemeal as it executes it.             needed (referenced) inside the running
Deciphered instructions are stored inside        program.
another memory module to allow the                 The idea of encrypting program
processor to access them on the fly. An          instructions down to the binary level and
implementation     of     Rijndael,    the       decrypting them gradually as they are
Advanced Encryption Standard (AES) of            needed in the program was described first by
National Institute of Standards and              Best [2, 3]. But because of the cryptographic
Technology (NIST), is used to encrypt            functions overhead involved in such circuits,
and decrypt data running its symmetric           it was never used on a large scale.
cipher algorithm using a key size of               The great innovations in ICs industry
128bits, mode called AES128. Such                motivate us to reevaluate the solution and
microprocessor reduces the security risks        revisit the subject again. What demanded a
related to code mobility.                        large power-hungry chip numbers in the old
                                                 days now can be implemented by a single,
                                                 small and power-efficient chip.
1. Introduction                                    The idea proposed in this paper seeks also
                                                 to decrease the performance sacrifice due to
 Wireless sensor networks increasingly           decrypting functionality to minimum.
becoming viable solutions to many                This paper is organized as follows: Section 2
challenging problems and will successively       presents an overview about cryptography,
be deployed in many areas in the future.         Section 3 shows the reason behind using
Wireless sensor network devices have two         Rijndael      over    other     cryptographic
key aspects: they use low power devices,         algorithms, Section 4 introduces the new
and they are small in size relatively to other   architecture proposed, Section 5 presents
devices used in other kinds of networks.         simulation results, while Section 6 describes
Many applications are introduced at the          future work and some conclusions.
present time that use wireless network as
their network infrastructure. However,
deploying a new technology without taking
security in mind has often proved to be
2. Cryptography overview                          key and hands only one of them to host A.
                                                  after the operation is done successfully the
  Cryptography is not a recent science, but       two hosts can now start transferring their
an old strategy to guarantee that information     data using symmetric encryption. The secret
is exchanged securely, which means, other         key used for the encryption/decryption
people do not have access to encrypted            process is the one exchanged [6].
information. Many devices were utilized in         Cryptography needs a standard, since
history, like mechanic equipments used by         communication is only possible when the
Germany in World War II (Enigma). The             same algorithm is used on the both sides.
core of the security back then, is to hide the     Data Encryption Standard (DES) is a well-
algorithm you are using so that intruders can     known 64-bit block and 56-bit key
not use reverse engineering to find out the       private=key         symmetric       encryption
encryption algorithm used.                        algorithm. It was made into a federal
  Nowadays, cryptography is largely used in       standard in 1977 and has since been widely
Internet banking systems and other money          used. A #1 million brute-force DES-
transfer operations.                              cracking machine that can break a DES key
 Cryptographic algorithms nowadays are            in about 3.5 hours has been reported [7].
provided to the public, since it is believed       To replace the old Data Encryption
that security core or emphasis should be          Standard (DES); In September, 12 of 1997,
moved from securing the algorithm to              the National Institute of Standards and
securing the key used in that algorithm.          Technology (NIST) required proposals to
  In cryptography, the original data is called    what is called Advanced Encryption
plaintext. The process of hiding the              Standard (AES) [8]. After Round 1 selection
information is called encryption. The result      process, five algorithms were chosen to
(hidden text), is called cipher text. To          advance to Round 2, in which NIST improve
extract the original data (plain text) for the    the analysis on each proposal, encouraging
hidden text, we execute decryption process,       the “attack” to all competitors [9]. The five
which requires knowing the secret key used        algorithms selected are:
in the encryption process.                             MARS
  There are two main types of cryptography:            RC6
symmetric and asymmetric. In the first type,           RIJNDAEL
symmetric cryptography, the communication              SERPENT
between the two sides uses one key, that is            TWOFISH
called secret key or private key, which            At the end of Round 2, the conclusion was
should be known to the two sides before           that that the five competitors showed similar
they can communicate. This secret key is          characteristics. On October 2nd, NIST
used to encrypt and decrypt the information       announced Rijndael algorithm as the winner
exchanged between them.                           of the contest, because it has the best overall
  In asymmetric algorithm, there are two sets     scores in security, performance, efficiency,
of keys: public key and private key. Public       implementability and flexibility [10].
key is used to encrypt the secret key you
want to exchange. In a simple scenario if we      3. Rijndael Encryption Algorithm
assume that host A wants to contact host B
securely, it will send a request to host B         Rijndael Algorithm was developed by Joan
requesting its public key. When it arrived to     Daemon, and Vincent Fijmen. The name
host A it encrypt the secret key it wants to      Rijndael is a portmanteau comprising of
be used in the communication process and          the names of the inventors. Rijndael is a
sends back to host B. The only one can            private-key symmetric block encryption
decrypt the encrypted secret key is host B,       algorithm that supports 128, 192, and 256-
think of it as if host B holds two parts of the   bit length keys and operates on 128, 192,
256-bit blocks. All nine combinations of key         4. Crypto Microprocessor
length and block size are possible. In this                 Architecture
work, all the implementation was focused on
AES128. Rijndael has been implemented in              The proposed architecture can be attached
software using C/C++, Java, C#, assembly             to any processor design available, simple
languages and many other languages [11,              32-bit 5-stages pipeline processor was used
12]. Software implementation offer limited           to demonstrate the behavior of the model.
throughput capabilities, compared to
specialized hardware chips. In this paper a
hardware implementation called AES86 is
used, provided by ht-lab and working at
relatively low rate (since the proposed
solution aimed to provide a solution to
privacy risks regardless of the speed) of
about 37Mb/s [13].Table A shows software
implementation throughputs [14].

  Implementation         Encryption Speed
     ANSI C                    27 Mb/s
    Visual C++               70.5 Mb/s
 Table A: Software implementation throughput.
                                                         Figure A: Simple MIPS microprocessor
Table B shows some of the commercial
hardware AES cores available nowadays                 Figure B shows the extra components
[15].                                                added to the simple MIPS microprocessor to
                                                     implement the proposed architecture. There
   Core       Technology    Speed     Throughput
 AES 32-bit   TSMC 0.13 u   400 MHz   ~1.16 Gbit/s
                                                     are 5 modules added to the architecture (4
 AES 32-bit   UMC 0.18 u    344 MHz   ~997 Mbit/s
                                                     are shown only).
AES 128-bit   TSMC 0.13 u   400 MHz   ~4.64 Gbit/s

AES 128-bit   UMC 0.18 u    344 MHz   ~3.99 Gbit/s

Table B: Hardware implementation throughput

 As we can notice in table B, customized
hardware implementation of Rijndael can
offer a very high throughput rate. Rijndael
has two main modes of operation, Electronic
Code Book (ECB) and Cipher Block
Chaining (CBC). The ECB mode is the
simplest one and will encrypt each block of
128bits independently of each other. A more
secure method is to XOR each input block
with the cipher-text of the preceding block
before encryption; this is called Cipher
Block Chaining [13]. The proposed module
uses ECB mode since it offers more
throughput and it is easier to implement.             Figure B: Changes made to simple MIPS MP.
In the front end, these modules were added                4. If the memory reference is not
(beside the decryption module described                      valid (USED = „0‟), the decision
before):                                                     maker stalls the pipe lines (by
     128-bit SRAM memory module: a                          sending     FREEZE       signal),
         64-KBx16 Bytes memory module is                     putting the processor in freeze
         used to store the encrypted                         state, and then it decrypts the
         instructions. The length 128-bit is                 128-bit reference and stores it
         used because it is the most suitable                back into the main system
         length as a trade of convenient and                 memory module as four 32-bit
         efficiency. Four 32-bit instructions                chunks of data.
         are stored as one 128-bit encrypted       Figure C shows the flow diagram of
         entry, since the Encryption/             decision maker behavior.
         Decryption module uses AES128 bit
         ECB. If the total size of the
                                                                              New PC available
         instructions is not 128-bit divisible,
         zero padding is used to keep the
         system able to encrypt/decrypt the
         needed instructions.
                                                                False               Mem. Ref.          True
       Used bit array (64-Kb ≡ 8KB):                                                Valid ?
        this module is used to tell whether
        the instruction in the 128-bit SRAM
        module has been encrypted before
        or not, this information helps the                      Decrypt the required
                                                               instruction and store it.
        decision maker module (will be
        introduced in the following point) to
        decide whether the memory
        references in the main system
        memory (32-bit long) is valid or not.                              Continue working normally
        In most of the times this check is the
        only overhead added to the system.                  Figure C: Decision maker flow chart

       Decision maker: This module is the         The decryption process results of
        heart of the system it works              decrypting 4 instructions at a time. This
        according      to    the    following     gives the system the opportunity to reference
        algorithm:                                them without the need to decrypt the whole
        1. New PC value is available.             128-bit entry again. When the program
        2. Check whether the memory               references all the pages it uses normally, the
            reference was decrypted before        behavior of the system will be almost
            (using used bit for each entry)       identical to the one without security
            and if it is in the main memory       capabilities. Since all the needed instructions
            (is the memory reference valid        will be ready to be fetched from the system
            in the main memory), then we          main memory module.
            will have two options.                 On the other end (output) one module was
        3. If the memory reference is valid       added to let the system output its results in
            (the instruction has been already     encrypted form. In this case two possible
            decrypted, USED = „1‟), the           approaches were available:
            system will continue as if there              1. Encrypt each 32-bit output after
            are no extra modules in the way.                   adding 128-bit zero padding to
            This reduces the performance                       it.
            penalty to this extra checking.
        2. Wait until four 32-bit output
             chunks are ready and then
             encrypt them without adding
             any kinds of padding.
 Option number 1 was used, since it is
related more to sensor networks world

5. Modeling and Simulation Results

 In this section I will show both sides of the
project. First part is to convert the binary
instruction from plain binary instruction 32-         Figure D.b: (Step 2) Decode instructions
bit wide, to 128bit wide encrypted units. An
assembler was created to facilitate the
process. The assembler was programmed
using C#.NET. It is divided into three
     1. Separate      data     section   from
         instructions section. Compute labels
         values and replace labels with their
     2. Convert instruction from their text
         format to binary format with 32-bit
     3. Convert binary instruction data to
         128-bit encrypted chunks.(Rijndael             Figure D.c: (Step 3) Encrypt binary
         managed class provided with .NET                           instructions
         framework 1.1 was used [16])             The second part of the project is the
                                                 simulation process for the model. The
Figures D.a, D.b and D.c show the three          simulation was done using ModelSim 6.0a.
steps.                                           In this simulation a small program to
                                                 execute bubble sort algorithm was used. The
                                                 following figure show how the simulation
                                                                                   


                                                          Figure E: Project Simulation
                                                  Figure E shows how the system reacted
          Figure D.a: (Step 1) Replacing         after an invalid memory references.
          labels with their line values.          New address is requested.
                                                  The decrypted data is ready and it is
                                                 written as four chunks of 32-bit instruction.
 Write bit is activated to allow the              6. Conclusions and future work
decision maker to write to main memory
module.                                              A simple and efficient solution to security
 Decrypted instructions are written to the        vulnerabilities in sensor networks world,
main memory module and ready to be                 especially when updating mobile sensors
fetched.                                           program, was presented. The solution
 Input Address for memory module                  supports the capability of sending encrypted
changes according to the data written to the       instructions through sensor networks
module. For instance if we have 1010               without sacrificing security.
memory reference the sequence of memory              Although the system adds an extra
addresses will be: [w]1000, [w]1001,               overhead due to the decryption process, but
[w]1010, [w]1011, [r]1010.                         the nowadays chips show a great capability
                                                   of throughput that exceeds the needs of
 Freeze signal (stall system pipelines) is        mobile hosts. Moreover, this overhead is
activated while the decryption process is          applied once per program, i.e. once the
processing, then it deactivated after finishing    program is decrypted into the system main
writing the four 32-bit chunks back to the         memory the performance will be almost
memory.                                            identical to prior unsecured systems.
                                                     The next step is to synthesize the project
 Figure F shows how the memory is                  and have it available on ready to use chip.
changed after the last memory reference.           Extra work might be done to produce a top
                                                   notch decryption/encryption unit with low
                                                   power consumption to allow mobile units to
                                                   live longer.

                                                    I would like to thank my professor (Prof.
                                                   Young Cho) for his sincere work and
                                                   important directions. Also, I would like to
                                                   thank my classmates who provided a
                                                   challenging environment that led to this

          Figure F: Memory Contents                References

 As shown in the figure above the system           [1] Stefan Schmidt, Holger Krahn, Stefan Fischer, and
                                                   Dietmar Watjen, “A Security Architecture for Mobile
decrypts the instructions gradually as             Wireless Sensor Networks”.
needed. Since most –if not all- sensor             [2] R.M. Best, “Preventing Software Piracy with Crypto-
networks programs executes their program           Microprocessors,”
                                                   Proc. IEEE Spring COMPCON ’80, pp. 466-469, San
infinite times, after the first execution of the   Francisco, 25-
program, it will be decrypted and ready to         28 Feb. 1980.
be fetched from the main memory .The               [3] R.M. Best, Microprocessor for Executing Enciphered
                                                   Programs, U.S.
system shows almost an identical                   patent 4,168,396, 18 Sept. 1979.
performance results to the same system             [4] R.M. Best, Crypto Microprocessor for Executing
                                                   Enciphered Programs,
configuration         without        encryption    U.S. patent 4,278,837, 14 July 1981.
capabilities.                                      [5] R.M. Best, Crypto Microprocessor that Executes
                                                   Enciphered Programs,
                                                   U.S. patent 4,465,901, 14 Aug. 1984.
                                                   [6] Alex Panato, Marcelo Barcelos, Ricardo Reis , A Low
                                                   Device Occupation IP to implement Rijndael Algorithm.
[7] D. Runje and M. Kovac, “Univerisal Strong Encryption
FPGA Core Implementation,” Proceedings of IEEE Design
Automation and Test in Europe, pp.923-924.
[8] NIST. Advanced Encryption Standard (AES). Official
NIST homepage about AES.
[9] NIST. AES Round 2 Information, Official NIST
information about the five algorithms selected to the second
round of AES.
[10] NIST. Commerce Department Announces Winner of
Global Information Security Competition, Official NIST site.
[11] J. Daemon and V. Rijmen, The Rijndael Block Cipher,
AES proposal. ver.2 , March 1999.
[12] The Rijndael Page, available at http://www.iaik.tu-
[13] ht-lab website, free cores page.
[14] Mrs. G. Umamaheswari, Dr. A. Shaunmugam, “Efficient
VLSI implementayion of the block cipher Rijndael
[15] CAST cores, http://www.cast-
[16] MSDN website,