S10 www.rfdesign.

com April 2008

DefenseElectronics
Protecting the key is the "key" to secure
communications
Protecting the key against interference or reproduction by the enemy in the event the end
system is captured requires security enhancements integrated in the system design that
will erase the key in the event of tampering. This article provides an overview of potential
security enhancements including the use of volatile memory of the key code and integration
of the key code memory within the system electronics to optimize the key protection
By Dave Locke
M
any of us remember the events of April
2001 when a U.S. Navy EP-3E surveil-
lance aircraft was forced to land on Hainan
Island off the coast of China after colliding
with a Chinese Air Force F-8 interceptor.
Whether you believe that this incident was
the result of an accident or an intentional act
on the part of the Chinese pilot, the unfet-
tered access to an American Naval aircraft
with its suite of high-tech surveillance and
communications equipment provided China
with a wealth of intelligence data. In fact,
it has been reported that Japanese defense
offcials informed the Pentagon that the
Link-11 secure military communication
system had been compromised and that To-
kyo had ordered its defense forces to change
Link-11 codes immediately after the EP-3E
was captured.
The U.S. DoD spends billions each year
developing advanced secure communica-
tion systems with increasingly complex
encryption algorithms. The incident on
Hainan Island highlights that even the most
complex algorithms are susceptible if an
enemy acquires security key codes. What is
the best media for storing secure key codes?
What are the best techniques for protecting
the secure key codes? These are just some
of the questions that continue to challenge
those entrusted to maintain the security and
integrity of U.S. military and intelligence
data and systems.
Securing key code
Figure 1 is the block diagram of the core to
a secure communication-processing system.
The complex encryption/decryption engine
is typically custom logic implemented with
an ASIC or FPGA, or sometimes with a
microprocessor using custom software to
implement the algorithm. In most cases,
the secure key code used by the encryption
algorithm is stored in a separate memory off-
chip from the encryption engine. There are
many practical reasons why this is done yet
it makes the effort to protect the secure key
code from tampering more complex.
To understand why the effort to protect
the secure key code from tampering, we
must frst understand why this memory is
not integrated within the encryption engine
whether implemented as an ASIC, FPGA
or microprocessor. The secure key code
must be accessible when system power is
on, retained or backed up for long periods
when the system power is shut down, and
have the ability to be immediately cleared
in the event the system is tampered with.
Most secure encryption systems will include
anti-tampering logic to provide the resources
to immediately clear the secure key code if
system tampering has been detected. Anti-
tampering countermeasures are typically
implemented with a layered approach, over-
lapping and integrating a mix of mechanical
and electrical techniques.
A variety of storage media can be used
for secure key code memory but each has ad-
vantages with its own unique anti-tampering
challenges. Consider each of the following
media.
Non-volatile memory, such as fash, EE-
PROM, CDs or DVDs, is used in some sys-
tems for secure key code storage. An example
of an encryption engine with non-volatile
memory is shown in Figure 2. These systems
offer the beneft of being able to retain the
secure key code when system power is shut
down. Anti-tamper logic has been added to
detect if the system has been tampered and
to initiate the erase of the secure key code
memory.
Erasing a non-volatile fash memory or
EEPROM in a secure encryption system
can be problematic. Using a clear signal
on a non-volatile memory may reset the
individual bits to a logic 0. However, the
individual memory bits will retain some
amount of charge from their previous state
even when power is removed. Sophisticated
reverse-engineering techniques can be em-
ployed to extract the previously stored key
code. To ensure that a non-volatile memory
F3-Semi-Figure 1
Key
code
memory
Flash
memory
DDR
memory
PHY
Radio
Encryption-
decryption engine
DSP
Waveform
processor
GPP
PHY
Display
Keyboard
USB port
RJ45
Audio
D
A
C
A
D
C
Figure 1. In this secure communications system, the key code used by the encryption engine is
stored in a separate off-chip memory.
0408DE-F3.indd 10 3/20/2008 12:51:14 PM
RF Design www.rfdesign.com S11
has been completely erased, multiple writes
of all 0s, all 1s or a checkerboard pattern
is performed. This will typically require 20
or more clock cycles and must be able to be
done if the system-tampering event includes
removal of primary system power. Some
amount of power must be retained to power
the anti-tamper logic to generate these clock
cycles. There are techniques for doing this by
retaining charge on a large capacitor, which
must then be protected against tampering as
well. There is also concern that 20 or more
clock cycles are not immediate enough for
clearing the memory.
Erasing CDs or DVDs also has its own
unique set of concerns that must be ad-
dressed by the system designer. The CD
or DVD can be destroyed with acids or fre
but this requires that the threat of tampering
is known before it happens and the system
operator has suffcient time to destroy the
media. For some formats, the media can be
erased but some amount of time and power
are required. Again, the system operator will
need to be aware of the threat of tamper-
ing ahead of time and have suffcient time
to employ an erase algorithm. Like fash
memory or EEPROMs, the erase algorithm
must ensure that no residual data is left on
the media that would allow reverse engineer-
ing techniques to retrieve the data that was
stored on the media.
FPGA suppliers have touted encrypted
confguration fle memory as an alternative
solution that eliminates the need to include
anti-tamper logic. Figure 3 shows a block
diagram of this solution that provides the
beneft of not requiring a battery back-up
and power management circuitry. In this
solution, the secure key code is stored as
non-volatile memory within the FPGA. The
FPGA architecture provides some inherent
barriers to reverse engineering. However,
the key code is non-volatile and, although
the reverse engineering and/or obfuscation
barriers are somewhat increased, they are not
insurmountable with suffcient resources.
Volatile memory
Volatile memory is the most common
solution for secure key code memory. Fig-
ure 4 provides a block diagram of a typical
encryption system with volatile secure key
code memory. Anti-tamper logic has been
included to clear the memory if the system
is tampered with. A battery has been added
to be able to retain the secure key code
when system power is shut down. Power
management circuitry is required to switch
to the battery power and the system power is
shut down and back to system power when
the system is powered up. This is done to
minimize the power drain on the battery to
extend its deployment life.
A volatile memory solution also has some
inherent drawbacks. Certain types of vola-
tile memory require a clock to refresh the
memory. This clock signal would have to be
generated in the battery power domain when
the system power is shut down putting more
of a drain on the battery and requiring that
the battery be replaced more often.
Volatile memory is often used to store
secure key code to encrypt data on fxed me-
dia such as HDDs, CDs and DVDs. In these
systems, the secure key code is generated
by a user-entered password and then stored
in DRAM memory. Common algorithms
such as BitLocker, FireVault, dm-crypt and
TrueCrypt are used to encrypt data stored on
the media. It is generally thought that data
stored in the DRAM memory is lost when
power is removed. However, the results of a
recent study reported by the Princeton Uni-
versity Center for Information Technology
Policy has demonstrated that the contents
of DRAM memories can be retained for
seconds or even minutes even when the
memories are removed from their mother-
boards. Algorithms outlined in the report
show how secure data and the secure key
code itself can be obtained from the DRAM
memories in these systems.
What then is the ideal solution and how
can it be achieved? Lets frst outline some
key system performance specifcations:
The secure key code memory needs to be
erased in the fastest possible time without
F3-Semi-Figure 2
Key
code
memory
Flash
memory
DDR
memory
PHY
Radio
Encryption-
decryption engine
DSP
Waveform
processor
GPP
PHY
Display
Keyboard
USB port
RJ45
Audio
Anti-
tamper
logic
D
A
C
A
D
C
F3-Semi-Figure 3
Key
code
memory
Flash
memory
DDR
memory
PHY
Radio
D
A
C
A
D
C
DSP
Waveform
processor
GPP
PHY
Display
Keyboard
USB port
RJ45
Audio
Encryption-
decryption engine
Confguration fle
decryption
Confg
key
Figure 2. An encryption engine with non-volatile memory.
Figure 3. Alternative solution with the benet of not requiring a battery back-up and power man-
agement circuitry.
0408DE-F3.indd 11 3/20/2008 12:51:27 PM
S12 www.rfdesign.com April 2008
leaving trace charges that would allow the
reconstruction of the memory contents.
The system must be able to detect a tamper-
ing event and trigger an erase of the secure
key code memory.
The secure key code must be retained when
the system power is removed and in the
absence of any tampering.
The secure key code must be retained for
some number of years without system
power.
Of the different types of memory reviewed
above, volatile memory best meets these
system performance specifcations. Volatile
memories can be erased with a direct action
clear signal without the need to generate
any clock signals. An active low clear signal
can be used to work with electromechanical
designs that tie the clear signal to system
ground when a tampering event occurs.
The use of battery power coupled with a
low-power memory and power management
circuitry can retain codes stored in volatile
memory for long periods of time without
system power applied.
The use of volatile memory is not without
challenges however. Power management
circuitry is required that monitors system
power and switches to battery power when
the system power is shut down. This creates
a new hybrid power domain that is used to
power the secure key code memory. This
power domain can also be used to power
some or all of the anti-tampering logic. It is
because of this additional power domain that
system designers are unable to integrate the
secure key code memory and any of the anti-
tamper logic into the encryption/decryption
engine whether it is implemented as a mi-
croprocessor, ASIC or FPGA. As a result,
the system implementation of the volatile
memory requires multiple components on
the system board.
For each component on the system board
that stores, reads or writes the secure key
code, there is a corresponding increase in
susceptibility to a tampering event that could
reveal the secure key code. In addition, the
system operational reliability decreases, and
manufacturing costs increases with each ad-
ditional component mounted on the system
board. System designers are left to make dif-
fcult trade offs between operational security,
system reliability and cost and the mandated
system performance specifcations.
Designers of secure communications
equipment require a single-chip encryp-
tion/decryption engine either in an ASIC,
microprocessor or FPGA that will support
volatile memory powered by a separate
power domain, on-chip power management
tools and confgurable logic that the user
can use to design anti-tamper logic. Such
a solution would optimize operation secu-
rity, improve system reliability and reduce
manufacturing cost.
A block diagram of this optimum solution
is shown in Figure 5. Key characteristics
of this solution would include no external
access to the secure key code memory other
than the clear signal, built-in power man-
agement, a separate power domain for the
secure key code memory and confgurable
anti-tamper logic. Integrating these func-
tions into a single product optimizes system
security while improving system reliability
and decreasing manufacturing costs. A solu-
tion such as this is technically feasible with
mature silicon technologies and only requires
the commitment of a supplier to the secure
military communications market.
F3-Semi-Figure 4
Key
code
memory
Flash
memory
DDR
memory
PHY
Radio
Encryption-
decryption engine
DSP
Waveform
processor
GPP
PHY
Display
Keyboard
USB port
RJ45
Audio
Anti-
tamper
logic
D
A
C
A
D
C
System
power
Battery
power
Power
manager
F3-Semi-Figure 5
Key
code
memory
Flash
memory
DDR
memory
PHY
Radio
Encryption-
decryption engine
DSP
Waveform
processor
GPP
PHY
Display
Keyboard
USB port
RJ45
Audio
Anti-
tamper
logic
D
A
C
A
D
C
System
power
Battery
power
Power
manager
Memory
clear
One device solution
Figure 4. A typical encryption system with volatile secure key code memory.
Figure 5. Optimal solution with on-chip volatile memory, anti-tamper logic, and power
management
ABOUT THE AUTHOR
Dave Locke is Mil/Aero product man-
ager at AMI Semiconductor. Locke
currently manages the XPressArray-II
Structured ASIC product line for the Mil/
Aero Business Unit at AMI Semiconduc-
tor where he has worked for more than
15 years in a variety of engineering and
marketing roles. Prior to his current po-
sition, Dave managed the XPressArray
product line, which was the industry's
rst 0.18 m structured ASIC product.
He holds a bachelors degree in electrical
engineering from Georgia Tech and has
worked in the ASIC eld for more than
25 years.
0408DE-F3.indd 12 3/20/2008 12:51:42 PM