A Network Security Processor Design Based on an Integrated SOC and Test Platform

1
A Network Security Processor Design Based on an
Integrated SOC and Test Platform
Chen-Hsing Wang, Chih-Yen Lo, Min-Sheng Lee,
Jen-Chieh Yeh, Chih-Tsun Huang, Cheng-Wen Wu,
Shi-Yu Huang

• Laboratory for Reliable Computing (LaRC)
• Electrical Engineering Department
• National Tsing Hua University

2
Outline

• Introduction
• Motivation
• Basics of cryptography system
• Platforms proposed for network security processor
  design
• Architecture platform
• EDA platform
• DFT platform
• Prototyping platform
• Experimental Implementation results
• Conclusions

3
Introduction

• Data security has become an important issue in
  communication applications
• Security protocols, such as SSL IPSec,use
  public-key and secret-key algorithms to ensure
  data safety
• Software approach does not meet high throughput
  requirement
• ASIC design style is infeasible
• Time-to-market pressure
• Non-recurring engineering cost
• Increasing circuit complexity

4
Introduction (Contd)

• We design a Network Security Processor (NSP)
  based on proposed platforms
• Supporting popular cryptography algorithms
• Suitable for communication applications
• Scalable
• Inserting/removing crypto-engines is easy
• Using proposed platforms dramatically reduces
  redesign cycle
• Testability considered

5
Asymmetric Key Crypto-System
Bob
Alice
They use different keys
Alice How are you? -----------------
----------------- -----------------
----------------- -----------------
Bob
X(DAW! hjkAW45 _at_)()RE REW9_at_

Alice How are you? -----------------
----------------- -----------------
----------------- -----------------
Bob
X(DAW! hjkAW45 _at_)()RE REW9_at_

f()
f()
6
Symmetric Key Crypto-System
Bob
Alice
They use the same key
Alice How are you? -----------------
----------------- -----------------
----------------- -----------------
Bob
X(DAW! hjkAW45 _at_)()RE REW9_at_

Alice How are you? -----------------
----------------- -----------------
----------------- -----------------
Bob
X(DAW! hjkAW45 _at_)()RE REW9_at_

f()
f()
7
Message Authentication Code
Bob
Alice
Alice How are you? -----------------
----------------- -----------------
----------------- -----------------
Bob
Alice How are you? -----------------
----------------- -----------------
----------------- -----------------
Bob
MAC()
Compare
Digest
MAC()
8
Outline

• Introduction
• Motivation
• Basics of cryptography system
• Platforms proposed for network security processor
  design
• Architecture platform
• EDA platform
• DFT platform
• Prototyping platform
• Experimental Implementation results
• Conclusions

9
System Design Overview
Host Processor
Security Processor
IO Interface
10
Architecture Platform

• On-chip bus AMBA
• The platform for NSP includes
• Host processor (ARM922T)
• Security Co-Processor
• AES, RSA, HMAC-SHA1/MD5 and RNG
• Memory Control Interface (MCI)
• Internal/external memory
• Test Interface Controller (TIC)
• AHB bus components
• Arbiter, decoder, reset controller, etc.

11
Network Security Processor
NSP
Security Processor
ARM922T
HMAC
RNG
RSA
AES
Internal AHB Bus
ASB interface
Third Party IPs
AHB Bus
CryptoDMA controller
Master/slave interface
Master/slave interface
External AHB Bus
IO Interface
MCI
Internal Memory
Reset ctr
TIC
APB Bus
External Memory
Flash
12
Security Processor
Crypto-Engines
Crypto-DMA Controller
Slave Interface
Main Ctr
AES
Channel 0
Channel Buffer
Ins. Decoder
Channel 1
Resource Manager
Channel 2
RSA
Register File
Channel 3
Micro-program Sequencer
Master Interface With Transfer Engine
HMAC
AHB Master Interface With Transfer Engine
RNG
13
Operation Procedures
Resource Assignment
Interrupt
Key Data
Interpretation
Result
Request
Key Data
Result
Fetch Descriptor
Fetch Data Key
Write Back Result
Transfer Data Key
Transfer Result
14
Features of Security Processor

• Crypto-DMA module
• Quick data transfer using DMA scheme (alleviates
  80 control overhead)
• Crypto-Engines
• RSA IP supports scalable key length
• 32-bit core
• Area efficient
• Optimized SBox for AES (saves 60 area cost)
• Shared datapath in HMAC (saves 12.5 area cost)
• Pure digital RNG
• Need one-bit noise input

15
EDA Platform
GDSII Sign-Off
ASIC Design Flow
Design Spec.
Post-Layout Verification Sim.
Architecture Simulator
Architecture Evaluation
FPGA Prototyping Flow
C Programming
Implementation Spec.
Physical Implementation
PowerMixer
RTL Coding, Sim., Verification and analysis
Compile, Link Assemble
Pre-Layout Verification Sim.
Synthesis, Place Routing
USB Firmware
UDL Synthesis Scan Insertion ATPG
IPs Synthesis Scan Insertion ATPG
Memory BIST Circuitry Insertion (BRAINS)
ARM Integrator System
SOC Test Circuitry Insertion (STEAC)
Project management
Debugger
DFT Circuitry Insertion Flow
In-house tools
Commercial tools
16
PowerMixer
Logic grouping
Phase1 Modeling Phase
Quick SPICE
Logic Simulator
Random Patterns
a-Ratio
Multiple a-Ratios
(Toggle Count / Power Value)
Circuit
Phase2 Extrapolation Phase
Logic Simulator
Functional Patterns
Estimated Power
Ref Lee et al., Power estimation strategies for
a low-power security Processor, ASP-DAC 2005
17
DFT Platform

• To provide an SOC test methodology for proposed
  architecture platform
• Using our previously proposed testing frameworks
  to reduce DFT insertion and test integration
  effort
• BRAINS (Bist for RAm IN Seconds)
• STEAC (Soc TEst Aid Console)

18
Memory BIST Automation Flow
Memory Spec.
Test Requirement
Input Parser
BIST Templates
Memory Library
BRAINS
BIST Design Testbench Integration Scripts
Simulation/Synthesis/PR Flow
19
Design Flow STEAC
University Booth 900 1000 (BRAINS)
200 300 (STEAC)
20
NSP DFT Strategies

• ARM processor core
• Tested by TIC
• Security Processor
• Core test reuse
• IEEE 1500 based test methodology
• Crypto-engines are tested by STEAC
• System level components
• Tested by scan/ATPG patterns
• Memory cores
• BIST (Built-In Self-Test) is the best solution
• Tested by BRAINS

21
NSP Test Architecture
Security Processor
TAM Bus
ARM922T
TAM Bus
1500 wrapper
1500 wrapper
1500 wrapper
1500 wrapper
TACS
AES
RSA
HMAC
RNG
JTAG
Internal AHB Bus
ASB interface
CryptoDMA controller
Master/slave interface
Master/slave interface
External AHB Bus
Memory BIST
Reset ctr
TIC
MCI
Memory
TestReq
TestACK
Test Vectors
22
Prototyping Platform
ARM Integrator
Logic Module
Core Module
Security Processor
Memory
AHB Bridge
AHB Bridge
AHB Bus
ARM922T
Memory
GPIF-AHB Interface
JTAG
PC
Multi-ICE
GPIF
USB Driver
USB-chip
ADS
Application
USB Board
23
NSP Demo System
24
Outline

• Introduction
• Motivation
• Basics of cryptography system
• Platforms proposed for network security processor
  design
• Architecture platform
• EDA platform
• DFT platform
• Prototyping platform
• Experimental Implementation results
• Conclusions

25
Experimental Environment
Ethernet
Server
Clients
Apache-SSL web (2.8GHz CPU 1GB Memory)
USB Line
USB Board
1. Monitor 2. Descriptor generation 3. Record
data encryption time 4. Reply done signal
Memory
GPIF-AHB
ARM922T
Security Processor
26
Experimental Results
100 90 80 70 60 50 40 30 20 10 0
AES RSA Other
Computation Time (Software Result is Normalized
to 100)
SW HW SW HW SW HW SW HW SW HW
SW HW
1K 2K 4K 8K
16K 32K
SSL Session Size (Bytes)
27
NSP Silicon Result
28
NSP Silicon Result (Contd)
29
Performance Comparisons
30
Conclusions

• We have presented the NSP design and four
  platforms
• Architecture platform scalable network
  applications
• EDA platform integrated CAD environment
• DFT platform SOC test integration
• Prototyping platform system verification and
  demonstration
• Results show that our NSP design outperforms
  others in terms of performance, scalability, and
  flexibility
• NSP chip is fabricated using TSMC 0.13um CMOS
  technology
• Feasibility of the platforms justified