UPGRADE YOUR BROWSER

We have detected your current browser version is not the latest one. Xilinx.com uses the latest web technologies to bring you the best online experience possible. Please upgrade to a Xilinx.com supported browser:Chrome, Firefox, Internet Explorer 11, Safari. Thank you!

cancel
Showing results for 
Search instead for 
Did you mean: 
Highlighted
Observer tamzid
Observer
10,860 Views
Registered: ‎12-29-2015

sending the encryption key to a remote FPGA

Jump to solution

Is there any protocol for sending the encryption key to a remote FPGA? If both the key and the encrypted bitstream is sent together, there is chance that an attacker can get hold of both of them  by snooping the network and decrypt the IP.

0 Kudos
1 Solution

Accepted Solutions
Teacher muzaffer
Teacher
20,628 Views
Registered: ‎03-31-2012

Re: sending the encryption key to a remote FPGA

Jump to solution
FPGA has battery backed non-volatile storage for the key so the key doesn't need to change. The vendor should encrypt with the original key and just send the encrypted bit file. Of course another layer of public/private key based protection can be built on top of this system. The FPGA or another block has to receive the new bit file program the flash with it and restart (or the other master can program the fpga directly).
- Please mark the Answer as "Accept as solution" if information provided is helpful.
Give Kudos to a post which you think is helpful and reply oriented.
0 Kudos
9 Replies
Teacher muzaffer
Teacher
10,842 Views
Registered: ‎03-31-2012

Re: sending the encryption key to a remote FPGA

Jump to solution
This is not a good idea. The remote system should have a public/private key pair and you should encrypt the bitstream with the public key so the system should be able to decrypt it with the private key. Sending the key out in the open is not suggested. There are key exchange protocols but I am not sure if they are necessary in your case: https://en.wikipedia.org/wiki/Key_exchange
- Please mark the Answer as "Accept as solution" if information provided is helpful.
Give Kudos to a post which you think is helpful and reply oriented.
Observer tamzid
Observer
10,831 Views
Registered: ‎12-29-2015

Re: sending the encryption key to a remote FPGA

Jump to solution

Hi,

Thank you for your response. I agree that public/private key pair would be the secure solution for a remote upgrade.

 

However,  I could not find any document where it is specificly mentioned if any of the Xilinx FPGAs  use public/private key based encryption. From my understanding Xilinx FPGAs use symmetric key based encryption where both the key and the bitstream is sent to the device at the same time. Correct me if I am wrong. 

 

 If you have any of such reference/documents, kindly let me know. 

0 Kudos
Teacher muzaffer
Teacher
10,809 Views
Registered: ‎03-31-2012

Re: sending the encryption key to a remote FPGA

Jump to solution
Actually I'd like to take back my previous response as it's not applicable to the situation at hand. The correct response is:
You don't need to send an encryption key. Xilinx FPGAs have volatile, battery backed encryption keys programmed before the device leaves your control so you should just send the encrypted bit files to the remote FPGA. You should never let unprogrammed FPGA boards to leave your premises. The keys are for all practical purposes permanently programmed to the FPGA and should not change at customers' premises at all.
- Please mark the Answer as "Accept as solution" if information provided is helpful.
Give Kudos to a post which you think is helpful and reply oriented.
0 Kudos
Observer tamzid
Observer
10,765 Views
Registered: ‎12-29-2015

Re: sending the encryption key to a remote FPGA

Jump to solution

Hi Muzaffer, as you mentioned "The keys are for all practical purposes permanently programmed to the FPGA and should not change at customers' premises at all."

 

I was wondering about a situation, where an FPGA is remotely operating in a system (like a car). 

And suppose, the vendors decides to upgrade the system and designes a new IP and generates a new bitstream. 

 

Now, to program the appropriate key for the new bitstream, the vendors would not get the system(like the car) near them.

 

Rather, they would have to send the new  key and the bitstream wirelessly to the intended FPGA. 

 

From your knowledge, do you think the Key is fixed for all the future upgrades? If yes, could you kindly add some reference? 

 

Thank you for your time!

0 Kudos
Scholar austin
Scholar
10,759 Views
Registered: ‎02-27-2008

Re: sending the encryption key to a remote FPGA

Jump to solution

The decryption is covered in the configuration users guide,

 

One may provide for supporting a public/private key protocol using an additional layer of software and logic, but that also creates a back-door for an attacker, so you must be careful, and test the solution to be sure it is not a vulnerability.  Even in an encrypted design, one may use the internal configuration access port (ICAP) to load a new (partial) bitstream.  Obviously, one cannot load the entire bitstream, as the ICAP itself would get over-written, causing the update to stop.

 

Zynq devices with their ARM cores allow the programmable logic to be completely re-written, and the ARM cores may be used to support just what you describe.  The feature is a vector for attack, so previous warnings still apply.

 

 

Austin Lesea
Principal Engineer
Xilinx San Jose
Teacher muzaffer
Teacher
20,629 Views
Registered: ‎03-31-2012

Re: sending the encryption key to a remote FPGA

Jump to solution
FPGA has battery backed non-volatile storage for the key so the key doesn't need to change. The vendor should encrypt with the original key and just send the encrypted bit file. Of course another layer of public/private key based protection can be built on top of this system. The FPGA or another block has to receive the new bit file program the flash with it and restart (or the other master can program the fpga directly).
- Please mark the Answer as "Accept as solution" if information provided is helpful.
Give Kudos to a post which you think is helpful and reply oriented.
0 Kudos
Observer tamzid
Observer
10,744 Views
Registered: ‎12-29-2015

Re: sending the encryption key to a remote FPGA

Jump to solution

Thanks both of you for the response. I get the idea. 

0 Kudos
Observer tamzid
Observer
10,734 Views
Registered: ‎12-29-2015

Re: sending the encryption key to a remote FPGA

Jump to solution

Hi Austin,

In case of a software or logic implemented public-private key protocol,  exactly what kind of vulnerability do you  think might exsist? (like side channel attack on the decryptor block, or brute force, etc.) 

0 Kudos
Scholar austin
Scholar
10,664 Views
Registered: ‎02-27-2008

Re: sending the encryption key to a remote FPGA

Jump to solution

t,

 

A nation-state attack is not the same as a casual hacker attack.  What threats are you looking at?

 

If the attacker knows you send updates, then they will try to intercept them, and reverse engineer the protocol.  If you use an open source public/private key protocol, there is nothing to learn, so they will address physical weakness such as a side-channel attack, or a man in the middle attack.  If you have used a well tested and trusted protocol, then it will be quite tough to crack it.  If the have physical access, they will likely be able to observe the encrypted data which is of no help.  You will need to disable JTAG (in Zynq the ARM has 100% control of JTAG, so if you do not allow access to the programmable logic, they are unable to read it back out unecrypted.

 

Contact your Xilinx FAE for assistance with the details.  As our devices are present in many crypto systems today, we have a track record of use there.  If you Google single-chip crypto you will see we were the first to be accepted and used.

 

Austin Lesea
Principal Engineer
Xilinx San Jose
0 Kudos