Title: A Network Security Processor Design Based on an Integrated SOC and Test Platform
1A Network Security Processor Design Based on an
Integrated SOC and Test Platform
Chen-Hsing Wang, Chih-Yen Lo, Min-Sheng Lee,
Jen-Chieh Yeh, Chih-Tsun Huang, Cheng-Wen Wu,
Shi-Yu Huang
- Laboratory for Reliable Computing (LaRC)
- Electrical Engineering Department
- National Tsing Hua University
2Outline
- Introduction
- Motivation
- Basics of cryptography system
- Platforms proposed for network security processor
design - Architecture platform
- EDA platform
- DFT platform
- Prototyping platform
- Experimental Implementation results
- Conclusions
3Introduction
- Data security has become an important issue in
communication applications - Security protocols, such as SSL IPSec,use
public-key and secret-key algorithms to ensure
data safety - Software approach does not meet high throughput
requirement - ASIC design style is infeasible
- Time-to-market pressure
- Non-recurring engineering cost
- Increasing circuit complexity
4Introduction (Contd)
- We design a Network Security Processor (NSP)
based on proposed platforms - Supporting popular cryptography algorithms
- Suitable for communication applications
- Scalable
- Inserting/removing crypto-engines is easy
- Using proposed platforms dramatically reduces
redesign cycle - Testability considered
5Asymmetric Key Crypto-System
Bob
Alice
They use different keys
Alice How are you? -----------------
----------------- -----------------
----------------- -----------------
Bob
X(DAW! hjkAW45 _at_)()RE REW9_at_
Alice How are you? -----------------
----------------- -----------------
----------------- -----------------
Bob
X(DAW! hjkAW45 _at_)()RE REW9_at_
f()
f()
6Symmetric Key Crypto-System
Bob
Alice
They use the same key
Alice How are you? -----------------
----------------- -----------------
----------------- -----------------
Bob
X(DAW! hjkAW45 _at_)()RE REW9_at_
Alice How are you? -----------------
----------------- -----------------
----------------- -----------------
Bob
X(DAW! hjkAW45 _at_)()RE REW9_at_
f()
f()
7Message Authentication Code
Bob
Alice
Alice How are you? -----------------
----------------- -----------------
----------------- -----------------
Bob
Alice How are you? -----------------
----------------- -----------------
----------------- -----------------
Bob
MAC()
Compare
Digest
MAC()
8Outline
- Introduction
- Motivation
- Basics of cryptography system
- Platforms proposed for network security processor
design - Architecture platform
- EDA platform
- DFT platform
- Prototyping platform
- Experimental Implementation results
- Conclusions
9System Design Overview
Host Processor
Security Processor
IO Interface
10Architecture Platform
- On-chip bus AMBA
- The platform for NSP includes
- Host processor (ARM922T)
- Security Co-Processor
- AES, RSA, HMAC-SHA1/MD5 and RNG
- Memory Control Interface (MCI)
- Internal/external memory
- Test Interface Controller (TIC)
- AHB bus components
- Arbiter, decoder, reset controller, etc.
11Network Security Processor
NSP
Security Processor
ARM922T
HMAC
RNG
RSA
AES
Internal AHB Bus
ASB interface
Third Party IPs
AHB Bus
CryptoDMA controller
Master/slave interface
Master/slave interface
External AHB Bus
IO Interface
MCI
Internal Memory
Reset ctr
TIC
APB Bus
External Memory
Flash
12Security Processor
Crypto-Engines
Crypto-DMA Controller
Slave Interface
Main Ctr
AES
Channel 0
Channel Buffer
Ins. Decoder
Channel 1
Resource Manager
Channel 2
RSA
Register File
Channel 3
Micro-program Sequencer
Master Interface With Transfer Engine
HMAC
AHB Master Interface With Transfer Engine
RNG
13Operation Procedures
Resource Assignment
Interrupt
Key Data
Interpretation
Result
Request
Key Data
Result
Fetch Descriptor
Fetch Data Key
Write Back Result
Transfer Data Key
Transfer Result
14Features of Security Processor
- Crypto-DMA module
- Quick data transfer using DMA scheme (alleviates
80 control overhead) - Crypto-Engines
- RSA IP supports scalable key length
- 32-bit core
- Area efficient
- Optimized SBox for AES (saves 60 area cost)
- Shared datapath in HMAC (saves 12.5 area cost)
- Pure digital RNG
- Need one-bit noise input
15EDA Platform
GDSII Sign-Off
ASIC Design Flow
Design Spec.
Post-Layout Verification Sim.
Architecture Simulator
Architecture Evaluation
FPGA Prototyping Flow
C Programming
Implementation Spec.
Physical Implementation
PowerMixer
RTL Coding, Sim., Verification and analysis
Compile, Link Assemble
Pre-Layout Verification Sim.
Synthesis, Place Routing
USB Firmware
UDL Synthesis Scan Insertion ATPG
IPs Synthesis Scan Insertion ATPG
Memory BIST Circuitry Insertion (BRAINS)
ARM Integrator System
SOC Test Circuitry Insertion (STEAC)
Project management
Debugger
DFT Circuitry Insertion Flow
In-house tools
Commercial tools
16PowerMixer
Logic grouping
Phase1 Modeling Phase
Quick SPICE
Logic Simulator
Random Patterns
a-Ratio
Multiple a-Ratios
(Toggle Count / Power Value)
Circuit
Phase2 Extrapolation Phase
Logic Simulator
Functional Patterns
Estimated Power
Ref Lee et al., Power estimation strategies for
a low-power security Processor, ASP-DAC 2005
17DFT Platform
- To provide an SOC test methodology for proposed
architecture platform - Using our previously proposed testing frameworks
to reduce DFT insertion and test integration
effort - BRAINS (Bist for RAm IN Seconds)
- STEAC (Soc TEst Aid Console)
18Memory BIST Automation Flow
Memory Spec.
Test Requirement
Input Parser
BIST Templates
Memory Library
BRAINS
BIST Design Testbench Integration Scripts
Simulation/Synthesis/PR Flow
19Design Flow STEAC
University Booth 900 1000 (BRAINS)
200 300 (STEAC)
20NSP DFT Strategies
- ARM processor core
- Tested by TIC
- Security Processor
- Core test reuse
- IEEE 1500 based test methodology
- Crypto-engines are tested by STEAC
- System level components
- Tested by scan/ATPG patterns
- Memory cores
- BIST (Built-In Self-Test) is the best solution
- Tested by BRAINS
21NSP Test Architecture
Security Processor
TAM Bus
ARM922T
TAM Bus
1500 wrapper
1500 wrapper
1500 wrapper
1500 wrapper
TACS
AES
RSA
HMAC
RNG
JTAG
Internal AHB Bus
ASB interface
CryptoDMA controller
Master/slave interface
Master/slave interface
External AHB Bus
Memory BIST
Reset ctr
TIC
MCI
Memory
TestReq
TestACK
Test Vectors
22Prototyping Platform
ARM Integrator
Logic Module
Core Module
Security Processor
Memory
AHB Bridge
AHB Bridge
AHB Bus
ARM922T
Memory
GPIF-AHB Interface
JTAG
PC
Multi-ICE
GPIF
USB Driver
USB-chip
ADS
Application
USB Board
23NSP Demo System
24Outline
- Introduction
- Motivation
- Basics of cryptography system
- Platforms proposed for network security processor
design - Architecture platform
- EDA platform
- DFT platform
- Prototyping platform
- Experimental Implementation results
- Conclusions
25Experimental Environment
Ethernet
Server
Clients
Apache-SSL web (2.8GHz CPU 1GB Memory)
USB Line
USB Board
1. Monitor 2. Descriptor generation 3. Record
data encryption time 4. Reply done signal
Memory
GPIF-AHB
ARM922T
Security Processor
26Experimental Results
100 90 80 70 60 50 40 30 20 10 0
AES RSA Other
Computation Time (Software Result is Normalized
to 100)
SW HW SW HW SW HW SW HW SW HW
SW HW
1K 2K 4K 8K
16K 32K
SSL Session Size (Bytes)
27NSP Silicon Result
28NSP Silicon Result (Contd)
29Performance Comparisons
30Conclusions
- We have presented the NSP design and four
platforms - Architecture platform scalable network
applications - EDA platform integrated CAD environment
- DFT platform SOC test integration
- Prototyping platform system verification and
demonstration - Results show that our NSP design outperforms
others in terms of performance, scalability, and
flexibility - NSP chip is fabricated using TSMC 0.13um CMOS
technology - Feasibility of the platforms justified