Security for the Internet of Things.

Solving IoT Security Problems with New Generation of FPGAs


  • Page 1 of 1
    Bookmark and Share

Article Media

It can be extremely challenging to combat design cloning, reverse engineering or tampering in today’s IoT. FPGAs help by including security-focused features that add defense at the device level. These include a physically unclonable function (PUF) from which the Private Key in the Public/Private Key scheme can be derived for implementing M2M authentication using Public Key Infrastructure (PKI). Other important features include cryptographic accelerators, a random number generator, and Differential Power Analysis (DPA) countermeasures that, together, allow system architects to layer security throughout the system.

The multiple electronic networks of the IoT require end-to-end layered security, starting at the device level. FPGAs help deliver this layered security by including unique built-in features and differentiated capabilities, and by becoming the root of trust in very complex applications.  

A major benefit of flash FPGAs is that a flash FPGA stores configuration information on-chip in non-volatile memory, preventing anyone from capturing information for reverse engineering or design tampering during device configuration.

The FPGA must protect all data including the application data that it is processing. This requires numerous data protection features including hardware protection from differential power analysis (DPA) and other side-channel attacks. Simple and differential power analysis (SPA/DPA) can be used to extract secret keys by measuring power consumption during cryptographic operations like bitstream loading. Not only is it important to provide countermeasures to side channel attacks, it’s also important that systems are assessed as to their claims. Microsemi SmartFusion2 and IGLOO22 FPGAs are the only FPGAs to achieve CRI DPA logo certification.

Also important is machine authentication using a PUF to generate a private public key pair. Analogous to a human fingerprint, the PUF serves as an unclonable “biometric” identifier unique to each device. 

An SRAM PUF (Fig. 1) measures the random start-up state of the bits in an SRAM block. Each SRAM bit comprises two cross-coupled inverters that are nominally equal but not completely identical. As power is applied to the IC, each SRAM bit starts up in either the “one” or “zero” state based on a preference that is largely determined during IC manufacturing.

The SRAM PUF can be designed to guarantee perfect key reconstruction with exceptionally low errors, and the SRAM PUF’s secret key is extremely well protected since its secret effectively disappears from the device when the power is off. No amount of subsequent analysis will reconstruct the PUF secret key if the activation code is erased.

FPGA or SoC FPGAs with PUF technology must also include built-in cryptographic capabilities -- i.e., hardware accelerators for AES, SHA, HMAC and elliptic curve cryptography (ECC) -- as well as a cryptographic­grade true random bit generator. This ensures that a user PKI can be created with the user’s own certificate authority blessing each legitimate machine in the network. Each machine has a chain-of­ trust extending from the user’s well-protected root-CA keys to the PUF’s high-assurance, atomic-level identity. Every machine and their communications are protected and can be safely, securely and confidently used in M2M, IoT and other hyperconnected applications.

Aliso Viejo, CA
(949) 380-6100