Global Sources
EE Times-Asia
Stay in touch with EE Times Asia
EE Times-Asia > FPGAs/PLDs

Building secure networks for comms work

Posted: 03 Nov 2003 ?? ?Print Version ?Bookmark and Share

Keywords:communication? network security? embedded fpga? pld? ip?

The road to developing highly secure networks begins with the selection of system components - afterall, each component represents a potential door to hostile attack. Yet a major transformation in network equipment design has occurred recently and its implications for network security have gone largely unnoticed.

Designers building communications systems today face two distinct security threats. The first is IP theft. Today, the key IP that differentiates a system from competitive offerings is housed in programmable logic.

One of the most common strategies used by thieves to steal IP embedded in FPGAs is called run-on fraud. Typically, this strategy is used by assembly houses that overbuild a design and then earn additional income by selling the extra components to gray market importers. The additional devices typically end up in finished products that are indistinguishable from the originals. One way to limit exposure to this ploy is to use a secure PLD technology, perform all programming in-house and then supply only programmed devices to the contract manufacturer.

Another common way IP is stolen is through reverse engineering or cloning. A thief copies a design by essentially reconstructing a schematic-level representation from the original physical device. This allows the thief to discover how the design works and in some cases improve on its performance. In some sophisticated cases, a thief will employ lasers or focused ion beams to attack a particular part of a chip or use chemicals to etch back the silicon layers of a chip.

Cloning is the simple copying of a design. Typically, the thief does not know how the design functions, but merely gains access to its details. SRAM-based FPGAs are particularly susceptible to this threat. By copying the boot PROM or intercepting the configuration bitstream from the on-board processor, a thief can easily recreate the design without intimate knowledge of how it functions.

The second major security risk in communications systems is data security. Most companies go to great efforts to protect the front door of their networks by implementing elaborate firewalls and other security measures. What many designers do not understand is that FPGAs represent a potentially vulnerable back door to their secure networks.

The classic strategy used to protect data in networks is to employ highly sophisticated encryption techniques. The Data Encryption Standard (DES) uses a 56-bit private-key-encryption algorithm to protect data. Virtually all leading FPGA vendors offer encryption cores to implement DES in their products, but critics have for many years questioned whether DES provides adequate levels of security. Companies have demonstrated how easily the algorithm can be cracked. Currently, the U.S. government is going through a process to replace DES with an effort called the Advanced Encryption Standard.

Systems using reconfigurable FPGAs are highly susceptible to attempts to circumvent encryption efforts. Using reprogrammable flash-based FPGAs present a more secure solution.

While the theft of data is a major concern, the most common form of attack on data security is denial-of-service (DoS). In these attacks, the pirate does not seek to steal data, but to deny use of the network to users. One hears repeatedly news reports describing how hackers shut down network services by flooding a network with messages.

Networks that rely on SRAM-based FPGAs to upgrade system hardware are particularly vulnerable to DoS attacks. By gaining access to the FPGA's bitstream, an attacker could corrupt the FPGA and bring down the network. A more sophisticated hacker could create even greater problems by reprogramming the FPGA to take control of the hardware.

Given the geopolitical and economic conditions prevalent today, network security concerns are more important than ever. Yet few network equipment designers are aware of the security implications of the parts they use in their systems. Carefully choosing the right FPGA can have a major impact on the designer's ability to protect valuable IP as well as ensure the integrity of the data in the system.

- Jon Ewald

Director of Product Marketing

Actel Corp.

Article Comments - Building secure networks for comms w...
*? You can enter [0] more charecters.
*Verify code:


Visit Asia Webinars to learn about the latest in technology and get practical design tips.

Back to Top