Programmable Devices
CPLDs, FPGAs, SoC FPGAs, Configuration, and Transceivers
20750 Discussions

Design Security

Altera_Forum
Honored Contributor II
‎02-12-2009 09:43 AM
1,300 Views

I' am looking for a possibility to encrypt our design. I' am using Cyclone II in configuration mode PS. A Microcontroller uploads the Firmware as a .rbf file.  

Does anybody know how to encrypt a .rbf file?  

Is it difficult reverse the .rbf bitstream and to figure out the VHDL code. 

 

Thanks for you help!
0 Kudos

Link Copied

7 Replies
Altera_Forum
Honored Contributor II
‎02-12-2009 05:37 PM
590 Views

You can not encrypt the bitstreams for a cyclone II. You have to go to some of the Stratix series and Arria II GX series to get the encryption. In general i believe a bitstream file is worthless if you are trying to get the code out of it, but useful if someone were looking to copy your hardware and then run your software(fpga file) on it. Technically you could retreive a functional diagram of the whole IC from the bitstream, if you knew the format of the bitstream that is, which i believe is propriatary, but it would be hard to do anyhting with that. That being said, there are other things you can do to make the knowlege of a bitstream file worthless if someone were to copy your hardware and steal your bitstream. 

 

Some links that may be helpful: 

 

http://www.altera.com/support/refdesigns/sys-sol/indust_mil/ref-des-secur.html?gsa_pos=1&wt.oss_r=1&wt.oss=design%20security 

 

http://www.altera.com/products/devices/stratix-fpgas/stratix-ii/stratix-ii/features/security/st2-security.html
0 Kudos
Copy link
Altera_Forum
Honored Contributor II
‎02-13-2009 09:38 AM
590 Views

Thanks for the answer. Do you know anything about "Design Security Using the IFF Concept". I found a white paper which describes how to protect the FPGA design just with a simple IC from Dallas Semiconductors and and IP core called SHA-1 IFF Engine. Do you know where to get the code for the SHA-1 IFF Engine. Please find attached the Altera white paper. Thanks!

Preview file
511 KB
0 Kudos
Copy link
Altera_Forum
Honored Contributor II
‎02-15-2009 09:03 PM
590 Views

First, you have to sign an NDA with Dallas to get the full datasheet for the IC. You can view an abridged version online, which should be enough to get you started. It is a pretty simple 1-wire interface, which i believe this from opencores will work :  

http://opencores.org/projects.cgi/web/opb_onewire/overview 

 

And a few SHA cores from opencores: 

http://opencores.org/projects.cgi/web/sha_core/overview 

http://opencores.org/projects.cgi/web/sha1/overview 

 

Merge the interface and the encryption core together and add some control around them and you have your protection.  

 

You can also implement what is in the Maxim part in a MaxII or the like if you already have one on the board, just make sure you have enough logic elements in the maxII to do the encryption. I think altera provides a reference design to do it that way, but i have not requested to view it yet.
0 Kudos
Copy link
Altera_Forum
Honored Contributor II
‎02-16-2009 03:14 AM
590 Views

Hello. 

 

Can you tell me what country you are located in? 

What your intent is with this encryption? 

Your citizenship? 

 

If you wish to reply just to me you can use the system to do that, if you prefer.
0 Kudos
Copy link
Altera_Forum
Honored Contributor II
‎02-16-2009 03:51 AM
590 Views

I don't see how that is pertinent. We are discussing reference designs from Altera's website. Can you shed some light on the relevance of either of our countries of origin?

0 Kudos
Copy link
Altera_Forum
Honored Contributor II
‎02-16-2009 08:48 AM
590 Views

Thanks for the help. 

I' am located in UK and my citizenship is German.  

We want to send one of our products (digital camera) to a competitor….we have to because one of our customers wants that they integrate our camera in their product.  

Because we upload the firmware to the FPGA per .rbf, we want to encrypt the firmware because it’s quite likely that they copy the design.
0 Kudos
Copy link
Altera_Forum
Honored Contributor II
‎02-17-2009 01:00 AM
590 Views

Answering kbs972; 

There are restrictions on release of cetain types of encryption information here in the U.S.A. that are controlled by ITAR. Some reference designs show generic methods for achieving the desired effect. Some companies my not be allow to export that information, but may be able to provide it within the country you are located, based on how they apply for, and release that information to you. 

 

Sasushi1; 

Dallas Semiconductor was aquired by Maxim Semi, and may still offer the product listed above. Check with them - the one wire interface is pretty good, and only takes 1 I/O pin (as the name implies). 

As kbs972 very corretly points out, you will not be able to protect (encrypt) the .rbt file as the Cyclone device has no means of decrypting it. 

Good luck with your efforts.
0 Kudos
Copy link
Reply

Community support is provided during standard business hours (Monday to Friday 7AM - 5PM PST). Other contact methods are available here.

Intel does not verify all solutions, including but not limited to any file transfers that may appear in this community. Accordingly, Intel disclaims all express and implied warranties, including without limitation, the implied warranties of merchantability, fitness for a particular purpose, and non-infringement, as well as any warranty arising from course of performance, course of dealing, or usage in trade.

For more complete information about compiler optimizations, see our Optimization Notice.