Secure field-programmable gate array (FPGA) architecture
First Claim
1. A method of configuring a field-programmable gate array (FPGA), the method comprising:
- receiving, at an FPGA, an encrypted FPGA load-decryption key from a remote key-storage device, wherein the remote key-storage device is external to and operatively connected with the FPGA;
calculating, at the FPGA, an ephemeral session key;
decrypting the encrypted FPGA load-decryption key in a key-security unit using the ephemeral session key to provide a decrypted FPGA load-decryption key;
receiving encrypted FPGA-configuration data at the FPGA;
decrypting and authenticating, in a configuration-data security unit, the FPGA-configuration data using the decrypted FPGA load-decryption key,wherein decrypting the FPGA-configuration data includes performing a function on the FPGA-configuration data to obtain an initialization vector, or extracting an initialization vector from the FPGA-configuration data;
receiving a challenge message at the FPGA from an authentication device, wherein the authentication device is external to and operatively connected with the FPGA;
encrypting the challenge message in a state-encryption unit using the initialization vector to generate a response message; and
sending the response message to the authentication device, wherein the authentication device decrypts the response to generate a decrypted challenge message and compares the challenge message with the decrypted challenge message to determine the authenticity of the FPGA-configuration data.
1 Assignment
0 Petitions
Accused Products
Abstract
A method and system for configuring a field-programmable gate array (FPGA) includes receiving an encrypted FPGA load-decryption key at an FPGA from a remote key-storage device. The remote key-storage device may be external to and operatively connected with the FPGA. The encrypted FPGA load-decryption key is decrypted using a session key, which may be stored at both the FPGA and the remote key-storage device. Encrypted FPGA-configuration data is received at the FPGA, and decrypted and authenticated using the decrypted FPGA load-decryption key. The decryption of the FPGA-configuration data may indicate a cryptographic state associated with the FPGA-configuration data, which may be used in recurring authentication of the FPGA-configuration data. For recurring authentication, a challenge message may be received at the FPGA from an authentication device, which may be encrypted using the cryptographic state and the session key to generate a response message. The response message may then be sent to the authentication device to determine authenticity of the FPGA-configuration data.
-
Citations
23 Claims
-
1. A method of configuring a field-programmable gate array (FPGA), the method comprising:
-
receiving, at an FPGA, an encrypted FPGA load-decryption key from a remote key-storage device, wherein the remote key-storage device is external to and operatively connected with the FPGA; calculating, at the FPGA, an ephemeral session key; decrypting the encrypted FPGA load-decryption key in a key-security unit using the ephemeral session key to provide a decrypted FPGA load-decryption key; receiving encrypted FPGA-configuration data at the FPGA; decrypting and authenticating, in a configuration-data security unit, the FPGA-configuration data using the decrypted FPGA load-decryption key, wherein decrypting the FPGA-configuration data includes performing a function on the FPGA-configuration data to obtain an initialization vector, or extracting an initialization vector from the FPGA-configuration data; receiving a challenge message at the FPGA from an authentication device, wherein the authentication device is external to and operatively connected with the FPGA; encrypting the challenge message in a state-encryption unit using the initialization vector to generate a response message; and sending the response message to the authentication device, wherein the authentication device decrypts the response to generate a decrypted challenge message and compares the challenge message with the decrypted challenge message to determine the authenticity of the FPGA-configuration data. - View Dependent Claims (2, 3, 4, 5, 6, 7, 8, 9, 10, 23)
-
-
11. A non-transitory system for configuring a field-programmable gate array (FPGA), the non-transitory system comprising:
-
a key interface configured for receiving an encrypted FPGA load-decryption key at an FPGA from a remote key-storage device, wherein the remote key-storage device is external to and operatively connected with the FPGA; a key-security unit configured for calculating an ephemeral session key; the key-security unit further configured for decrypting, using the ephemeral session key, the encrypted FPGA load-decryption key to provide a decrypted FPGA load-decryption key; a load interface configured for receiving encrypted FPGA-configuration data at the FPGA; a configuration-data security unit configured for decrypting and authenticating the FPGA-configuration data using the decrypted FPGA load-decryption key, wherein decrypting the FPGA-configuration data includes performing a function on the FPGA-configuration data to obtain an initialization vector, or extracting an initialization vector from the FPGA-configuration data; an authentication input interface configured for receiving a challenge message at the FPGA from an authentication device, wherein the authentication device is external to and operatively connected with the FPGA; a state-encryption unit for encrypting the challenge message in a state-encryption unit using the initialization vector to generate a response message; and an authentication output interface configured for sending the response message to the authentication device, wherein the authentication device decrypts the response to generate a decrypted challenge message and compares the challenge message with the decrypted challenge message to determine the authenticity of the FPGA-configuration data. - View Dependent Claims (12, 13, 14, 15, 16, 17, 18, 19, 20, 21, 22)
-
Specification