Flexible and Low-Cost HSM based on Non-Volatile FPGAs

Embedded systems supported on FPGAs are increasingly playing a higher role on safety-critical areas. A particular example of a safety-critical system is a Hardware Security Module, providing private key management and usage in a secure and reliable way. However, commerically available systems are too expensive and limited in the provided functionality. On the other hand, existing volatile FPGA solutions do not adequately provide the needed security features.

This works consists of an open-source, low-cost and highly flexible re-configurable Hardware Security Module, supported by a System-on-Chip with a non-volatile FPGA. The presented solution operates as a versatile certification system that provides key management, digital signature services and is able to issue trustworthy certificates. The solution can be used, for example, in IT security applications through an integration with the included PKCS#11 interface.

To further illustrate the flexibility of the proposed solution, a Log-Chain certification use-case is also presented. Experimental results suggest that the system is able to compute up to 2 sign/certification operations per second, with a low cost, adaptable and secure approach.

Main Characteristics

Low-cost re-configurable device from Microsemi: Smartfusion2 Security Evaluation Kit containing a Smartfusion2 90-TS.
Secure internal data storage.
Secure internal key generation and storage with PUF-based service.
True Random Number Generator.
Differential Power Analysis protected Elliptic Curve Point Multiplication core.
Simple Power and Timing Analysis protected AES-256, ECC and SRAM-PUF cores.
FPGA-accelerated SHA-256 core.
Secure communication channel (ECIES).
Extended PKCS#11 API for Windows.
External Flash memory storage with data confidentiality and integrity assurances.
Open-source design and software.

Main Features

One administrator.
Multiple Users, each with an internal non-exportable key pair (can export public key certificate).
ECC-based digital signatures generation (ECDSA) on the NIST P-384 curve.
ECC-based digital certificates generation on the NIST P-384 curve.
Ability to generate and export key pairs.
Ability ot generate digital certificates for a given public key.
Log-Chain use-case: ability to create a chain of logs which guarantees non-repudiation of events.

Download

The Bitstream configuration can be downloaded from here.

The Visual Studio project (PC side) can be downloaded from here.

The SoftConsole project (HSM side) can be downloaded from here.

Libero SoC Project: send e-mail to chaves123@gmail.com to request project source.

License

This work is free to be used for non commercial use. If you use it work, please reference paper:

Diogo Parrinha and Ricardo Chaves, "Flexible and Low-Cost HSM based on Non-Volatile FPGAs", International Conference on Reconfigurable Computing and FPGAs (ReConFig'17), September 2017.