CN114065267A - FPGA code stream protection method and device based on state cryptographic algorithm - Google Patents

FPGA code stream protection method and device based on state cryptographic algorithm Download PDF

Info

Publication number
CN114065267A
CN114065267A CN202111435325.9A CN202111435325A CN114065267A CN 114065267 A CN114065267 A CN 114065267A CN 202111435325 A CN202111435325 A CN 202111435325A CN 114065267 A CN114065267 A CN 114065267A
Authority
CN
China
Prior art keywords
abstract
code stream
fpga
algorithm
module
Prior art date
Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
Pending
Application number
CN202111435325.9A
Other languages
Chinese (zh)
Inventor
张冲
郭洪
周江
Current Assignee (The listed assignees may be inaccurate. Google has not performed a legal analysis and makes no representation or warranty as to the accuracy of the list.)
Shanghai Anlu Information Technology Co ltd
Original Assignee
Shanghai Anlu Information Technology Co ltd
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by Shanghai Anlu Information Technology Co ltd filed Critical Shanghai Anlu Information Technology Co ltd
Priority to CN202111435325.9A priority Critical patent/CN114065267A/en
Publication of CN114065267A publication Critical patent/CN114065267A/en
Pending legal-status Critical Current

Links

Images

Classifications

    • GPHYSICS
    • G06COMPUTING; CALCULATING OR COUNTING
    • G06FELECTRIC DIGITAL DATA PROCESSING
    • G06F21/00Security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
    • G06F21/60Protecting data
    • G06F21/602Providing cryptographic facilities or services
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L9/00Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols
    • H04L9/06Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols the encryption apparatus using shift registers or memories for block-wise or stream coding, e.g. DES systems or RC4; Hash functions; Pseudorandom sequence generators
    • H04L9/0643Hash functions, e.g. MD5, SHA, HMAC or f9 MAC

Abstract

The application discloses a protection method and a device of FPGA code stream based on a cryptographic algorithm, wherein the method comprises the following steps: generating an FPGA code stream by FPGA software; generating an abstract of the FPGA code stream by adopting a Hash algorithm, encrypting the abstract by adopting an asymmetric algorithm to generate an encrypted abstract, and encrypting the FPGA code stream by adopting a symmetric algorithm to generate a ciphertext of the FPGA code stream; storing the encrypted abstract and the cipher text of the FPGA code stream in a storage module of a system board loaded with FPGA hardware; when the system is powered on, the FPGA hardware acquires the encrypted abstract and the ciphertext of the FPGA code stream from the storage module, authenticates the encrypted abstract and acquires a first abstract, decrypts the ciphertext by adopting a symmetric algorithm, generates the digest of the decrypted ciphertext by adopting a Hash algorithm and acquires a second abstract; and comparing the first abstract with the second abstract, and if the first abstract and the second abstract are matched, verifying that the FPGA code stream is valid. The method and the device can improve the safety of the FPGA code stream.

Description

FPGA code stream protection method and device based on state cryptographic algorithm
Technical Field
The invention relates to the technical field of FPGA (field programmable gate array), in particular to a protection method and a protection device of an FPGA code stream based on a cryptographic algorithm.
Background
FPGA system solutions require software and hardware to work together. FPGA software refers to an Electronic Design Automation (EDA) compilation tool provided by an FPGA manufacturer, which synthesizes register transfer level circuit (RTL) codes, lays out and routes the codes, and finally generates bit streams (or code streams). Currently, the mainstream FPGA architecture is based on an SRAM type, and mainly includes four parts, namely a configurable logic block, an input/output block, an internal connection line, and other embedded units. The configurable logic block is the basic logic unit of the FPGA. Each configurable logic block contains a configurable switch matrix of 4 or 6 input SRAM type memory cells, several selection circuits (multiplexers etc.) and flip-flops. The switch matrix has a high degree of flexibility and is configured to handle combinatorial logic, shift registers or RAM. The code stream is loaded into configurable logic blocks that customize the hardware resources on the FPGA device to implement the desired circuitry. The FPGA hardware refers to an FPGA chip, and the FPGA chip can realize the specific function of the user only by loading bit streams. The bit stream file is stored in Flash of a FPGA system board level, and the FPGA system automatically loads the bit stream file in the Flash to start working after being electrified. The FPGA code stream files are usually unencrypted binary codes, so that bit stream files can be obtained by directly reading data in Flash, and products can be freely copied. Today, intellectual property rights are becoming more and more important, it is necessary to encrypt bitstream files to prevent illegal theft of intellectual property rights. Currently, an Advanced Encryption Standard (AES) symmetric algorithm is used to directly encrypt and decrypt a bitstream file. The AES symmetrical algorithm is directly used, so that the method is simple, but easy to crack.
Disclosure of Invention
The invention aims to provide a protection method and a device of an FPGA code stream based on a cryptographic algorithm.
The application discloses a protection method of an FPGA code stream based on a cryptographic algorithm, which comprises the following steps:
generating an FPGA code stream by FPGA software;
generating an abstract of the FPGA code stream by adopting a Hash algorithm, encrypting the abstract by adopting an asymmetric algorithm to generate an encrypted abstract, and encrypting the FPGA code stream by adopting a symmetric algorithm to generate a ciphertext of the FPGA code stream;
storing the encrypted abstract and the cipher text of the FPGA code stream in a storage module of a system board loaded with FPGA hardware;
when the system is powered on, the FPGA hardware acquires the encrypted abstract and the ciphertext of the FPGA code stream from the storage module, authenticates the encrypted abstract and acquires a first abstract, decrypts the ciphertext by adopting a symmetric algorithm, generates the digest of the decrypted ciphertext by adopting a Hash algorithm and acquires a second abstract; and
and comparing the first abstract with the second abstract, and if the first abstract and the second abstract are matched, verifying that the FPGA code stream is valid.
In a preferred embodiment, the step of encrypting the digest by using an asymmetric algorithm and generating an encrypted digest further includes: and encrypting the abstract by adopting a specified public key.
In a preferred embodiment, the step of authenticating the encrypted digest and obtaining the first digest further includes: authenticating the encrypted digest using a private key.
In a preferred embodiment, the step of decrypting the ciphertext by using a symmetric algorithm further includes: decrypting the ciphertext using a private key.
In a preferred embodiment, the method further comprises the following steps: storing the asymmetric algorithm and the private key of the symmetric algorithm in the FPGA hardware.
The application also discloses a protection device of the FPGA code stream based on the state cryptographic algorithm, which comprises: the system comprises a Hash encryption module, an asymmetric encryption module, a symmetric encryption module, a Hash decryption module, an asymmetric decryption module, a symmetric decryption module, a verification module and a storage module, wherein the Hash encryption module, the asymmetric encryption module, the symmetric encryption module, the Hash decryption module, the asymmetric decryption module, the symmetric decryption module, the verification module and the storage module are arranged in the system
The Hash encryption module adopts a Hash algorithm to calculate an abstract of an FPGA code stream generated by FPGA software, the asymmetric encryption module adopts an asymmetric algorithm to encrypt the abstract and generate an encrypted abstract, and the symmetric encryption module adopts a symmetric algorithm to encrypt the FPGA code stream and generate a ciphertext of the FPGA code stream;
the hash decryption module, the asymmetric decryption module and the symmetric decryption module are positioned in FPGA hardware, the storage module is positioned on a system board loaded with the FPGA hardware, and the storage module is used for storing the encrypted abstract and the ciphertext of the FPGA code stream;
when the system is powered on, the FPGA hardware acquires the encrypted abstract and the ciphertext of the FPGA code stream from the storage module, the asymmetric decryption module authenticates the encrypted abstract and acquires a first abstract, the symmetric decryption module decrypts the ciphertext by adopting a symmetric algorithm, and the hash decryption module generates the digest of the decrypted ciphertext by adopting a hash algorithm and acquires a second abstract; and
and the verification module compares the first abstract with the second abstract, and if the first abstract and the second abstract are matched, the FPGA code stream is verified to be effective.
In a preferred example, the storage module is further configured to store a private key of the asymmetric algorithm and the symmetric algorithm.
In a preferred embodiment, the asymmetric encryption module encrypts the digest by using a specified public key.
In a preferred embodiment, the asymmetric decryption module authenticates the encrypted digest using a private key.
In a preferred example, the symmetric decryption module decrypts the ciphertext using a private key.
Compared with the prior art, the method has the following beneficial effects:
the method and the device increase the authentication flow by using the asymmetric algorithm, and improve the security of the FPGA code stream.
Drawings
Fig. 1 shows a flowchart of an FPGA code stream protection method based on a cryptographic algorithm in an embodiment of the present invention.
Fig. 2 is a schematic diagram illustrating an FPGA code stream encryption process according to an embodiment of the present invention.
Fig. 3 is a schematic diagram illustrating an FPGA code stream decryption process according to an embodiment of the present invention.
Fig. 4 shows a block diagram of an FPGA code stream protection device based on a cryptographic algorithm in an embodiment of the present invention.
Detailed Description
In the following description, numerous technical details are set forth in order to provide a better understanding of the present application. However, it will be understood by those skilled in the art that the technical solutions claimed in the present application can be implemented without these technical details and with various changes and modifications based on the following embodiments.
In order to make the objects, technical solutions and advantages of the present invention more apparent, embodiments of the present invention will be described in detail with reference to the accompanying drawings.
The application discloses a protection method of an FPGA code stream based on a cryptographic algorithm, and fig. 1 shows a flow chart of the protection method of the FPGA code stream in one embodiment of the application, and the method comprises the following steps:
step 101, FPGA software generates an FPGA code stream.
And 102, generating a digest of the FPGA code stream by adopting a hash algorithm (or called as a hash algorithm or SM3), and encrypting the digest by adopting an asymmetric algorithm (or called as SM2) to generate an encrypted digest. In one embodiment, the step of encrypting the digest using an asymmetric algorithm and generating an encrypted digest further comprises: and encrypting the abstract by adopting a specified public key. And encrypting the FPGA code stream by adopting a symmetric algorithm (or called as SM4) to generate a ciphertext of the FPGA code stream.
And 103, storing the encrypted abstract and the cipher text of the FPGA code stream in FPGA hardware. And storing the encrypted abstract and the cipher text of the FPGA code stream in a storage module, such as a Flash/EEPROM (electrically erasable programmable read-only memory) on an FPGA hardware system board.
In one embodiment, the method further comprises: storing the asymmetric algorithm and the private key of the symmetric algorithm in the FPGA hardware.
And 104, when the FPGA hardware is powered on, the FPGA hardware reads a code stream from a storage module, authenticates the encrypted abstract and obtains a first abstract. In one embodiment, the step of authenticating the encrypted digest and obtaining the first digest further comprises: authenticating the encrypted digest using a private key. And decrypting the ciphertext by adopting a symmetric algorithm, generating an abstract of the decrypted ciphertext by adopting a Hash algorithm, and obtaining a second abstract. In one embodiment, the step of decrypting the ciphertext using a symmetric algorithm further comprises: decrypting the ciphertext using a private key.
And 105, comparing the first abstract with the second abstract, and if the first abstract and the second abstract are matched, verifying that the FPGA code stream is valid and the FPGA starts to work normally. If not, the verification fails.
In order to better understand the technical solutions of the present description, the following description is given with reference to a specific example, in which the listed details are mainly for the sake of understanding, and are not intended to limit the scope of the present application.
The invention provides an encryption authentication scheme aiming at the encryption requirement of FPGA code stream, a software end is integrated with an encryption engine, and a hardware end is integrated with a decryption engine.
Referring to fig. 2, in the encryption process, the FPGA code stream generation software first converts the circuit into a plaintext code stream, then generates a digest using the SM3 hash algorithm, and then encrypts the digest using the specified public key using the SM2 asymmetric algorithm to obtain an encrypted digest. And simultaneously encrypting the plaintext code stream by using an SM4 symmetric algorithm. Finally, the merging of the two results is the code stream ready to be written to the memory (e.g., Flash) in the FPGA hardware.
Referring to fig. 3, when the FPGA hardware needs to load the code stream file in Flash, at this time, the SM2 asymmetric key and the SM4 symmetric key are already stored in the FPGA hardware in advance. Firstly, an SM2 asymmetric private key is used for authenticating an encrypted digest, meanwhile, an SM4 symmetric private key is used for decrypting a code stream, after decryption, an SM3 hash algorithm is used for generating the digest, the digest generated by the SM3 hash algorithm is compared with the digest authenticated by the SM2 asymmetric algorithm, if matching is carried out, the FPGA code stream is proved to be effective, the FPGA starts to work normally, otherwise, the code stream authentication fails.
After encryption, although others can read or copy the code stream data in Flash, when the copied code stream file is loaded in the FPGA hardware, if no secret key exists, the code stream file cannot be decrypted, and the decryption engine cannot recover the original code stream, so that loading cannot be completed. Therefore, the method can realize the code stream data protection function in Flash.
The application also discloses a protection device of the FPGA code stream based on the state cryptographic algorithm, and fig. 4 shows a block diagram schematic diagram of the protection device of the FPGA code stream. The protection device includes: the device comprises a Hash encryption module, an asymmetric encryption module, a symmetric encryption module, a Hash decryption module, an asymmetric decryption module, a symmetric decryption module, a verification module and a storage module.
The Hash encryption module adopts a Hash algorithm to calculate an abstract of an FPGA code stream generated by FPGA software, the asymmetric encryption module adopts an asymmetric algorithm to encrypt the abstract and generate an encrypted abstract, and the symmetric encryption module adopts a symmetric algorithm to encrypt the FPGA code stream and generate a ciphertext of the FPGA code stream.
The hash decryption module, the asymmetric decryption module and the symmetric decryption module are located in FPGA hardware, the storage module is located on a system board loaded with the FPGA hardware, and the storage module is used for storing the encrypted abstract and the ciphertext of the FPGA code stream.
When the system is powered on, the FPGA hardware acquires the encrypted abstract and the ciphertext of the FPGA code stream from the storage module, the asymmetric decryption module authenticates the encrypted abstract and acquires a first abstract, the symmetric decryption module decrypts the ciphertext by adopting a symmetric algorithm, and the hash decryption module generates the digest of the decrypted ciphertext by adopting a hash algorithm and acquires a second abstract; and
and the verification module compares the first abstract with the second abstract, and if the first abstract and the second abstract are matched, the FPGA code stream is verified to be effective.
In one embodiment, the storage module is further configured to store a private key of the asymmetric algorithm and the symmetric algorithm.
In one embodiment, the asymmetric encryption module encrypts the digest using a specified public key.
In one embodiment, the asymmetric decryption module authenticates the cryptographic digest using a private key.
In one embodiment, the symmetric decryption module decrypts the ciphertext using a private key.
The first embodiment is an apparatus embodiment corresponding to the present embodiment, and the technical details in the first embodiment may be applied to the present embodiment, and the technical details in the present embodiment may also be applied to the first embodiment.
It is noted that, in the present patent application, relational terms such as first and second, and the like are used solely to distinguish one entity or action from another entity or action without necessarily requiring or implying any actual such relationship or order between such entities or actions. Also, the terms "comprises," "comprising," or any other variation thereof, are intended to cover a non-exclusive inclusion, such that a process, method, article, or apparatus that comprises a list of elements does not include only those elements but may include other elements not expressly listed or inherent to such process, method, article, or apparatus. Without further limitation, the use of the verb "comprise a" to define an element does not exclude the presence of another, same element in a process, method, article, or apparatus that comprises the element. In the present patent application, if it is mentioned that a certain action is executed according to a certain element, it means that the action is executed according to at least the element, and two cases are included: performing the action based only on the element, and performing the action based on the element and other elements. The expression of a plurality of, a plurality of and the like includes 2, 2 and more than 2, more than 2 and more than 2.
All documents mentioned in this specification are to be considered as being incorporated in their entirety into the disclosure of the present application so as to be subject to modification as necessary. It should be understood that the above description is only a preferred embodiment of the present disclosure, and is not intended to limit the scope of the present disclosure. Any modification, equivalent replacement, improvement, etc. made within the spirit and principle of one or more embodiments of the present disclosure should be included in the scope of protection of one or more embodiments of the present disclosure.
In some cases, the actions or steps recited in the claims may be performed in a different order than in the embodiments and still achieve desirable results. In addition, the processes depicted in the accompanying figures do not necessarily require the particular order shown, or sequential order, to achieve desirable results. In some embodiments, multitasking and parallel processing may also be possible or may be advantageous.

Claims (10)

1. A protection method of FPGA code stream based on cryptographic algorithm is characterized by comprising the following steps:
generating an FPGA code stream by FPGA software;
generating an abstract of the FPGA code stream by adopting a Hash algorithm, encrypting the abstract by adopting an asymmetric algorithm to generate an encrypted abstract, and encrypting the FPGA code stream by adopting a symmetric algorithm to generate a ciphertext of the FPGA code stream;
storing the encrypted abstract and the cipher text of the FPGA code stream in a storage module of a system board loaded with FPGA hardware;
when the system is powered on, the FPGA hardware acquires the encrypted abstract and the ciphertext of the FPGA code stream from the storage module, authenticates the encrypted abstract and acquires a first abstract, decrypts the ciphertext by adopting a symmetric algorithm, generates the digest of the decrypted ciphertext by adopting a Hash algorithm and acquires a second abstract; and
and comparing the first abstract with the second abstract, and if the first abstract and the second abstract are matched, verifying that the FPGA code stream is valid.
2. The method of claim 1, wherein the step of encrypting the digest using an asymmetric algorithm and generating an encrypted digest further comprises: and encrypting the abstract by adopting a specified public key.
3. The method of protecting as claimed in claim 1, wherein the step of authenticating the cryptographic digest and obtaining the first digest further comprises: authenticating the encrypted digest using a private key.
4. The method of claim 1, wherein the step of decrypting the ciphertext using a symmetric algorithm further comprises: decrypting the ciphertext using a private key.
5. The protection method of claim 1, further comprising: storing the asymmetric algorithm and the private key of the symmetric algorithm in the FPGA hardware.
6. A protection device of FPGA code stream based on cryptographic algorithm, characterized by that, including: the system comprises a Hash encryption module, an asymmetric encryption module, a symmetric encryption module, a Hash decryption module, an asymmetric decryption module, a symmetric decryption module, a verification module and a storage module, wherein the Hash encryption module, the asymmetric encryption module, the symmetric encryption module, the Hash decryption module, the asymmetric decryption module, the symmetric decryption module, the verification module and the storage module are arranged in the system
The Hash encryption module adopts a Hash algorithm to calculate an abstract of an FPGA code stream generated by FPGA software, the asymmetric encryption module adopts an asymmetric algorithm to encrypt the abstract and generate an encrypted abstract, and the symmetric encryption module adopts a symmetric algorithm to encrypt the FPGA code stream and generate a ciphertext of the FPGA code stream;
the hash decryption module, the asymmetric decryption module and the symmetric decryption module are positioned in FPGA hardware, the storage module is positioned on a system board loaded with the FPGA hardware, and the storage module is used for storing the encrypted abstract and the ciphertext of the FPGA code stream;
when the system is powered on, the FPGA hardware acquires the encrypted abstract and the ciphertext of the FPGA code stream from the storage module, the asymmetric decryption module authenticates the encrypted abstract and acquires a first abstract, the symmetric decryption module decrypts the ciphertext by adopting a symmetric algorithm, and the hash decryption module generates the digest of the decrypted ciphertext by adopting a hash algorithm and acquires a second abstract; and
and the verification module compares the first abstract with the second abstract, and if the first abstract and the second abstract are matched, the FPGA code stream is verified to be effective.
7. The protection device of claim 6, wherein the storage module is further configured to store a private key that associates the asymmetric algorithm with the symmetric algorithm.
8. The protection device of claim 6, wherein the asymmetric encryption module encrypts the digest using a specified public key.
9. The protection device of claim 6, wherein the asymmetric decryption module authenticates the cryptographic digest using a private key.
10. The protection device of claim 6, wherein the symmetric decryption module decrypts the ciphertext using a private key.
CN202111435325.9A 2021-11-29 2021-11-29 FPGA code stream protection method and device based on state cryptographic algorithm Pending CN114065267A (en)

Priority Applications (1)

Application Number Priority Date Filing Date Title
CN202111435325.9A CN114065267A (en) 2021-11-29 2021-11-29 FPGA code stream protection method and device based on state cryptographic algorithm

Applications Claiming Priority (1)

Application Number Priority Date Filing Date Title
CN202111435325.9A CN114065267A (en) 2021-11-29 2021-11-29 FPGA code stream protection method and device based on state cryptographic algorithm

Publications (1)

Publication Number Publication Date
CN114065267A true CN114065267A (en) 2022-02-18

Family

ID=80276980

Family Applications (1)

Application Number Title Priority Date Filing Date
CN202111435325.9A Pending CN114065267A (en) 2021-11-29 2021-11-29 FPGA code stream protection method and device based on state cryptographic algorithm

Country Status (1)

Country Link
CN (1) CN114065267A (en)

Similar Documents

Publication Publication Date Title
US9043610B2 (en) Systems and methods for data security
US10110380B2 (en) Secure dynamic on chip key programming
US7606362B1 (en) FPGA configuration bitstream encryption using modified key
US11308241B2 (en) Security data generation based upon software unreadable registers
CA2537299A1 (en) On-chip storage, creation, and manipulation of an encryption key
KR101303278B1 (en) FPGA apparatus and method for protecting bitstream
KR20070112115A (en) File encryption/decryption method, device, program, and computer-readable recording medium containing the program
CA2400220A1 (en) Consumable authentication protocol and system
CN110298186B (en) Non-key data encryption and decryption method based on dynamic reconfigurable cipher chip
US7841014B2 (en) Confidential information processing method, confidential information processor, and content data playback system
US20120096280A1 (en) Secured storage device with two-stage symmetric-key algorithm
CN111488630A (en) Storage device capable of configuring safe storage area and operation method thereof
JP7087172B2 (en) Unlock PQA
US9571273B2 (en) Method and system for the accelerated decryption of cryptographically protected user data units
US10291402B2 (en) Method for cryptographically processing data
CN107925574B (en) Secure programming of secret data
US8024583B2 (en) Confidential information processing host device and confidential information processing method
US20020168067A1 (en) Copy protection method and system for a field-programmable gate array
US20080104396A1 (en) Authentication Method
CN110046489B (en) Trusted access verification system based on domestic Loongson processor, computer and readable storage medium
CN114065267A (en) FPGA code stream protection method and device based on state cryptographic algorithm
Peterson Leveraging asymmetric authentication to enhance security-critical applications using Zynq-7000 all programmable SoCs
KR101677138B1 (en) Method of on-line/off-line electronic signature system for security of off-line token
US11698993B2 (en) Integrated circuit configured to perform symmetric encryption operations with secret key protection
JP2008003774A (en) Microcomputer

Legal Events

Date Code Title Description
PB01 Publication
PB01 Publication
SE01 Entry into force of request for substantive examination
SE01 Entry into force of request for substantive examination