Embedded Security Using Cryptography

In the previous blog post, “Securing Offload Engines for a Robust Secure SoC System,” we briefly looked at some of the methods employed for achieving embedded security, i.e., cryptography, hardware partitioning and isolation, and hardware root of trust. In this blog, and subsequent blogs, we will explore more about each of these approaches in detail.

Cryptography is not a new concept. It’s been around for ages. Cryptography can be employed for securing firmware, proprietary IP and sensitive data. Proper implementation of cryptography ensures confidentiality, integrity, and authenticity, or in short, “CIA.”

Fig. 1: Depiction of cryptography.

Confidentiality

Encryption is converting information that is in a readable plaintext format into an unreadable ciphertext format by use of mathematical algorithms or ciphers and unique keys. The ciphertext can only be read by those who have knowledge of the algorithm and the keys used for encryption. There are essentially two ways to implement encryption:

• Symmetric Cryptography – A single shared cryptographic key is used for encryption and decryption. Some of the commonly used ciphers include AES, DES, triple-DES and so on. Symmetric cryptography is generally fast and suited well for large chunks of data. However, the vulnerability of symmetric cryptography lies in how securely the key is stored and distributed.

Fig. 2: Symmetric cryptography.

• Asymmetric Cryptography – Also known as public key cryptography, uses a pair of private key/public key for encryption and decryption. If a resource, whether it’s the firmware image or sensitive data, is encrypted using a private key, it can only be decrypted using the corresponding public key. In public key cryptography system, the private key must be securely stored and kept secret all the time. It can never be shared. Only the public key is shared. RSA and ECC are some of the algorithms used for public key cryptography.

Fig. 3: Asymmetric cryptography.

Authentication and integrity

When we mention cryptography, often only encryption that comes to mind. However, the other important aspect of cryptography is hashing, which addresses authentication and integrity in CIA. A hash is fixed-length random-looking code that serves as a thumbprint for data of arbitrary length. The most important property of a hash is that it is unique. No two different data sets can have the same hash. Because of this property, hash functions are used as an integrity check of data, ensuring it has not been modified.

Fig. 4: Hashing.

In addition to an integrity check, hashing in combination with symmetric key or public key cryptography can be used to create a unique digital signature for authentication. The hash of the resource is first computed using a hash function such as SHA-1, SHA-256 or SHA-3. This computed hash value is then encrypted using the crypto key. This serves as the digital signature, also known as message authentication code or MAC, which is appended to the resource.

Fig. 5: Digital signing process, public key cryptography.

Now, whenever, the resource needs to be used, it must go through a three-step process. The first step is to decrypt the signature using the crypto keys to extract the original hash value. The second step is to compute another hash value of the resource and, finally, compare the resulting hash value with the extracted hash value to confirm the integrity of the resource, i.e., to show that it has not been tampered with and that the source of the resource is authentic.

Fig. 6: Authentication process, public key cryptography.

Now that we have covered the basics on cryptography, we will look at how cryptography can be implemented with Cadence’s Tensilica processors in the next blog post.

References

• David Kleidermacher, “Embedded Systems Security: Practical Methods for Safe and Secure Software and Systems Development,” Newnes, 2012.
• Mehmet Yildiz, “A Practical Guide for IoT Solution Architects,” S.T.E.P.S. Publishing Australia, 2019.
• Brian Russell and Drew van Duren, “Practical Internet of Things Security,” Packt Publishing, 2018.
• Yang Qian, “Applied Cryptography in Embedded Systems,” Master’s Thesis, University of Vaasa, 2013:
  https://osuva.uwasa.fi/bitstream/handle/10024/6687/osuva_5564.pdf
• Embedded Staff, “IoT Security – Cryptography,” Embedded.com, May 28, 2019:
  https://www.embedded.com/iot-security-cryptography/
• Timothy Stapko, “Cryptography for embedded systems – Part 1: Security level categories & hashing,” EETimes.com, June 7, 2010:
  https://www.eetimes.com/cryptography-for-embedded-systems-part-1-security-level-categories-hashing/
• Embedded Staff, “Securing the IoT: Part 1 – Public key cryptography,” Embedded.com, January 11, 2015:
  https://www.embedded.com/securing-the-iot-part-1-public-key-cryptography/
• Timothy Stapko, “Cryptography for embedded systems – Part 1: Security level categories & hashing,” EDN.com, June 7, 2010:
  https://www.edn.com/cryptography-for-embedded-systems-part-1-security-level-categories-hashing/