METHOD AND DEVICE FOR AUTHENTICATING AN FPGA CONFIGURATION
20220043900 · 2022-02-10
Inventors
Cpc classification
H04L2209/12
ELECTRICITY
H04L9/3239
ELECTRICITY
H04L2209/26
ELECTRICITY
G06F21/76
PHYSICS
International classification
G06F21/76
PHYSICS
H04L9/32
ELECTRICITY
Abstract
The disclosure relates to a method and a device for authenticating an FPGA configuration. The method includes at least partly reading the configuration of a FPGA by the FPGA itself and calculating a first checksum using the read configuration. The method further includes providing an authentication response which confirms that the FPGA configuration is authentic when the first checksum matches a specified checksum, wherein the reading, calculating, and providing are carried out in an obfuscated manner. The authentication response confirming that the FPGA configuration is authentic is not provided or is only provided with a very low degree of probability when the first checksum and the specified checksum do not match. In this regard, an FPGA may check its own configuration.
Claims
1. A method for authenticating a Field Programmable Gate Array (FPGA) configuration the method comprising: at least partially reading the FPGA configuration of an FPGA by of the FPGA itself; calculating a first checksum over the FPGA configuration which has been read; and providing an authentication response which confirms that the FPGA configuration is authentic when the first checksum corresponds to a predefined checksum, wherein the reading, the calculating, and the providing are performed in obfuscated form, wherein the authentication response which confirms that the FPGA configuration is authentic is not provided or is provided only with a very low degree of probability when the first checksum and the predefined checksum do not correspond, wherein the first checksum is provided when a specific item of information is transmitted to the FPGA, and wherein the specific item of information comprises a signal pattern that is applied to a multiplicity of inputs of the FPGA configuration.
2. The method of claim 1, wherein the predefined checksum comprises at least one hash value or one result of a cryptographic hash function.
3. The method of claim 1, wherein the providing of the authentication response comprises generating an asymmetric signature for a predefined authentication task.
4. The method of claim 1, wherein the providing of the authentication response comprises decrypting an asymmetrically encrypted message.
5. The method of claim 1, wherein the providing of the authentication response comprises decrypting a symmetrically encrypted message.
6. The method of claim 1, wherein the providing of the authentication response comprises symmetrically encrypting a message.
7. The method of claim 1, wherein the obfuscated performance of the reading, the calculating, and the providing comprises data from a physically unclonable function (PUF).
8. The method of claim 1, wherein the predefined checksum is stored in a storage unit outside the FPGA configuration.
9. (canceled)
10. The method of claim 1, wherein the item of specific information is asymmetrically encrypted or signed, symmetrically encrypted, or encrypted with data from a physically unclonable function (PUF).
11. The method of claim 1, wherein data from a physically unclonable function (PUF) component is provided when the specific item of information is transmitted to the FPGA.
12. The method of claim 11, wherein the specific item of information is asymmetrically encrypted, asymmetrically signed, or symmetrically encrypted.
13. The method of claim 1, wherein the method is carried out during the FPGA configuration and/or during a runtime of the FPGA.
14. A Field Programmable Gate Array (FPGA) device for authenticating a FPGA configuration, the FPGA device comprising: the FPGA configuration, wherein the FPGA device is configured to: at least partially read the FPGA configuration of the FPGA device; calculate a first checksum over the FPGA configuration which has been read; and provide an authentication response, wherein the authentication response confirms that the FPGA configuration is authentic when the first checksum corresponds to a predefined checksum, wherein the reading, the calculation, and the provision are performed in obfuscated form, wherein the authentication response which confirms that the FPGA configuration is authentic is not provided or is provided only with a very low degree of probability when the first checksum and the predefined checksum do not correspond, wherein the first checksum is provided when a specific item of information is transmitted to the FPGA device, and wherein the specific item of information comprises a signal pattern that is applied to a multiplicity of inputs of the FPGA configuration.
15. A computer program product configured to be stored on a Field Programmable Gate Array (FPGA) device, wherein the computer program product, when executed, causes the FPGA device to: at least partially read a FPGA configuration of the FPGA device by the FPGA device itself; calculate a first checksum over the FPGA configuration which has been read; and provide an authentication response which confirms that the FPGA configuration is authentic when the first checksum corresponds to a predefined checksum, wherein the reading, the calculation, and the provision are performed in obfuscated form, wherein the authentication response which confirms that the FPGA configuration is authentic is not provided or is provided only with a very low degree of probability when the first checksum and the predefined checksum do not correspond, wherein the first checksum is provided when a specific item of information is transmitted to the FPGA device, and wherein the specific item of information comprises a signal pattern that is applied to a multiplicity of inputs of the FPGA configuration.
16. The method of claim 2, wherein the providing of the authentication response comprises generating an asymmetric signature for a predefined authentication task.
17. The method of claim 2, wherein the providing of the authentication response comprises decrypting an asymmetrically encrypted message.
18. The method of claim 2, wherein the providing of the authentication response comprises decrypting a symmetrically encrypted message.
19. The method of claim 2, wherein the providing of the authentication response comprises symmetrically encrypting a message.
Description
BRIEF DESCRIPTION OF DRAWINGS
[0078] The disclosure is explained in more detail below based on the exemplary implementations with reference to the attached figures.
[0079]
[0080]
DETAILED DESCRIPTION
[0081]
[0082] The FPGA configuration 2 is loaded into an SRAM (static random access memory) of the FPGA 1, for example, when starting the FPGA 1 and configures the FPGA.
[0083] This installed FPGA configuration 2 is checked during the runtime and the authenticity of the FPGA configuration 2 or a manipulation is determined.
[0084] A first component 6 and a second component 7 as well as the checking component 3 and the PUF component 5 are instantiated E via the FPGA configuration 2. For example, the first component 6 and the second component 7 may include a crypto accelerator or a processor. The FPGA configuration 2 may instantiate E further components. The checking component 3 and the PUF component are instantiated E by the FPGA configuration 2.
[0085] The checking component 3 checks the FPGA configuration 2. The PUF component 5 receives a PUF task and provides the checking component 3 with a PUF response according to the PUF task. The PUF response remains on the FPGA 1 and is advantageously not used for a further calculation.
[0086] The checking component 3 receives the PUF response from the PUF component 5. The checking component 3 also reads the FPGA configuration 2 from the SRAM and receives an encrypted checksum for checking the FPGA configuration 2. An authentication response B is provided according to the result of the check.
[0087] The authentication response B may be used to determine whether the FPGA configuration 2 running on the FPGA 1 has been compromised. In a further embodiment, the authentication response B includes the output of an alarm in the event of a negative check, for example, if the FPGA configuration 2 has been compromised.
[0088] The FPGA 1 is also coupled to a storage unit 4, e.g., an external storage unit 4. The storage unit 4 is coupled to the FPGA 1 via an interface (not illustrated). The storage unit 4 may be in the form of a non-volatile memory, for example, a flash memory.
[0089] Further storage elements known in the prior art for use as the storage unit 4 are not excluded by the exemplary list. The predefined checksum is stored in the storage unit 4 in encrypted form. The predefined checksum is made available to the checking component 3 via the interface. The checking component 3 is used to calculate the first checksum in act S1. For this purpose, the FPGA configuration 2 of the FPGA 1 is at least partially self-read F by the FPGA 1.
[0090] The checksum is calculated over the FPGA configuration 2 which has been read. The calculated checksum may include a hash value, for example. The calculated checksum is compared with the checksum stored in the storage unit 4. If the calculated checksum and the predefined checksum stored in the storage unit 4 correspond, the phase of authenticating the FPGA configuration 2 begins and an authentication response B is provided.
[0091] The authentication response B is obfuscated with the self-read FPGA configuration 2. The at least partial reading and calculation of the first checksum and the comparison of the first checksum with the predefined checksum as well as the provision of the authentication response B are performed in obfuscated form. Therefore, it is advantageously not possible to clearly distinguish between the self-check of the FPGA 1 and the authentication response B.
[0092]
[0093] In the exemplary embodiment illustrated, the method includes a plurality of acts. In act S1, the configuration 2 of an FPGA 1 is at least partially read S1 by the FPGA 1 itself and a first checksum is calculated over the configuration 2 which has been read.
[0094] In a further act S2, an authentication response B is provided, which response confirms that the FPGA configuration 2 is authentic if the first checksum corresponds to a predefined checksum. Acts S1 and S2 are performed in obfuscated form. The authentication response B which confirms that the FPGA configuration 2 is authentic is not provided or is provided only with a very low degree of probability if the first checksum and the predefined checksum do not correspond.
[0095] The predefined checksum corresponds to an authentic configuration of the FPGA 1.
[0096] As a result of the FPGA configuration 2, it is therefore reported to the outside that the configuration is authentic and that a calculation is carried out which, without an additional item of additional information, for example, a secret item of additional information which is stored in the FPGA configuration 2, may be carried out only in an extremely complicated manner.
[0097] In order to prevent the FPGA configuration 2 from being changed by an attacker in such a manner that an authentication response B is provided even when the FPGA configuration 2 is not authentic, both the circuit for reading and hashing the FPGA configuration and the authentication response B are obfuscated together. Therefore, it is advantageously not clear to an attacker based on the obfuscated network list which circuit parts are used for the self-check and which parts are used to provide the authentication response B.
[0098] In summary, the disclosure relates to a method and a device for authenticating an FPGA configuration 2. The method includes at least partially reading S1 the configuration 2 of an FPGA 1 by the FPGA 1 itself and calculating a first checksum over the configuration 2 which has been read. The method further includes providing S3 an authentication response B which confirms that the FPGA configuration 2 is authentic if the first checksum corresponds to a predefined checksum, wherein the reading, the calculating, and the providing are performed in obfuscated form, and wherein the authentication response B which confirms that the FPGA configuration 2 is authentic is not provided or is provided only with a very low degree of probability if the first checksum and the predefined checksum do not correspond.
[0099] In this respect, an FPGA may check its configuration itself.
[0100] It is to be understood that the elements and features recited in the appended claims may be combined in different ways to produce new claims that likewise fall within the scope of the present disclosure. Thus, whereas the dependent claims appended below depend from only a single independent or dependent claim, it is to be understood that these dependent claims may, alternatively, be made to depend in the alternative from any preceding or following claim, whether independent or dependent, and that such new combinations are to be understood as forming a part of the present specification.
[0101] While the present disclosure has been described above by reference to various embodiments, it may be understood that many changes and modifications may be made to the described embodiments. It is therefore intended that the foregoing description be regarded as illustrative rather than limiting, and that it be understood that all equivalents and/or combinations of embodiments are intended to be included in this description.