Embedded system designers have new network security weapons that can ensure information security, prevent tampering, and build trusted systems.
The scale and complexity of the Internet of Things (IoT) continue to rise, and the demand for proactive security measures is increasing. The use of software security features alone is no longer sufficient to deal with known cyber threats. A more effective approach is to adopt a layered technology strategy, which begins with the adoption of a new generation of system-on-chip (SoC) FPGAs that can provide an IC-level hardware root of trust . Based on this solid foundation, a scalable solution should be adopted, including the selection of other components according to the risk appropriate, such as security measures for dynamic data, data in use and static data, as well as encryption and software protection.
At present, the entire network infrastructure is more vulnerable to attacks than before, complicating security challenges. The number of connected IoT devices has grown exponentially, increasing the security risks of hardware and embedded systems. The networked devices installed in network infrastructure and information systems are becoming more and more complex and diverse, so they must be protected with appropriate security levels and proactive protection methods. These protection methods should be optimized according to the number, frequency, and type of threats.
Take a multi-layer approach
Appropriate security must be extensible, and it must start with an IC-level hardware root of trust (Figure 1). In order to ensure hardware, implement design security and lock data security, other component technologies and supporting components are also essential.
The first group of technologies and supporting components are used to ensure information security, using physical anti-cloning function (PUF), advanced encryption accelerator, and patented anti-differential power analysis (DPA) function to store and transmit information through the key.
Figure 1: A multi-layer approach is essential to ensure hardware security, implement design security, and lock data security.
The second group of technologies includes tamper resistance. This group of technologies includes secure bitstream, tamper detection and response, and mechanisms to prevent copying, cloning, or anti-cloning engineering.
The third group is to establish a trusted system, which is achieved through licensing and certification of patent protection against DPA, NIST certified encryption accelerators and a secure supply chain.
FPGA provides system root of trust
The new generation SoC FPGA has various characteristics necessary to establish the system root of trust, and the system root of trust is a necessary foundation to prevent critical data from being attacked.
For example, current FPGAs provide licensed, patented, and certified DPA protection, ensuring that design intellectual property (IP) is prevented from being copied and reverse engineered. DPA protection also provides supply chain assurance by verifying that the FPGA is credible. The current SoC FPGA also provides verification by verifying the authentication parameters of the device certificate and by proving the unique device key. This technique is the most effective way to ensure that the device being programmed does not pose a supply chain counterfeiting problem.
Figure 2: Microsmart SmartFusion2 SoC FPGA uses built-in design security features to protect valuable
Design IP.
In addition to protecting IP, current FPGAs also enhance network security by preventing product reverse engineering. Encrypt and protect the configuration bit stream to ensure the security of FPGA-based designs. When tampering is detected, the device must be able to recognize this unauthorized access and reset all values ​​to zero. Doing so significantly reduces the chance of successful attack. In order to further strengthen the protection of the data in use, integrated licensing DPA countermeasures and strengthen the FPGA's ability to resist dangerous DPA key extraction attacks. Even better is the integration of special security lock bit features that enable the FPGA to define a security barrier, thereby requiring authorization before using certain system capabilities.
In addition to DPA protection and anti-tampering capabilities, other key FPGA features that provide the system's root of trust include encrypted bit streams, multi-key storage elements, secure flash memory, and integrated PUF.
Increase the security layer
Using SoC FPGA to provide a trusted root of design hardware, the next step is to adopt a method called "Defense in Depth" by the Department of Defense to add multiple security layers throughout the system. Related hardware solutions provide multiple IA layers and encryption technology support to ensure the safety of static data, dynamic data, and data in use in software applications, FPGA, and SoC designs.
For static data, memory is the focus area. Strict embedded computing applications are best to use high-reliability and secure SSD. Highly secure SSDs must protect sensitive data from threats while reducing the inherent vulnerabilities of storage media. Therefore, in order to achieve the best information security guarantee, it is necessary to use hardened SSD with hardware encryption and loss prevention function.
To protect dynamic data, a new method can be used in conjunction with Ethernet, because Ethernet operates at layer 2 (L2) and its own encryption protocol is defined in the IEEE 802.1AE MACsec standard. There is a direct link between the security strength of the solution and the security implementation layer. Because of this relationship, L2 security encryption is required for Ethernet connections. There are currently several security solutions that can implement mobile-based, end-to-end IEEE 802.1AE MACsec security encryption on any network (including multi-operator and cloud-based networks). This security is independent of whether the network is aware of the security protocol, and the physical layer solution (PHY) provides 128/256-bit AES encryption to respond to evolving network threats.
Whether it is static data, dynamic data or usage data, multiple layers of encryption should be used to ensure security. One example is the use of software encryption to reduce the security vulnerabilities that can occur when extracting encryption keys from static or runtime storage. New software-based technologies provide advantageous key hiding solutions, using a wide range of algorithms and platform support to protect passwords and encryption keys.
Another important system element that must be protected is synchronization timing, especially the synchronization timing of critical communication infrastructure. Many organizations rely on publicly available time servers to provide Coordinated Universal Time (UTC) sources. In order to transmit these UTC sources and maintain a comprehensive and secure timing infrastructure, there must be a robust end-to-end timing solution for generating, distributing, and using precise time.
To integrate these components, it usually requires expertise, and independent laboratories sponsored by component suppliers provide developers with resources for embedded system security. These centers employ security and system analysts, cryptographers, and hardware and software engineers to work together to help them plan protection strategies, evaluate risks, evaluate black box designs, and perform security engineering and other important tasks in order to The company provides valuable cross-vertical expertise.
For embedded system designers, network security is very important. Current SoC FPGAs provide a trusted foundation for multi-layer solutions and protect the information and technical security of key projects. Building a solution with the right risk requires an appropriate combination of the right technology and capabilities to expand the security solution to respond to evolving threats.
Child Shoes Led Light, Led Flashing Shoe Light, Shoe Led Light
AST Industry Co.,LTD , https://www.astsoundchip.com