VLSI IMPLEMENTATION OF THE KEYED-HASH MESSAGE AUTHENTICATION CODE FOR THE WIRELESS APPLICATION PROTOCOL G. Selimis, N. Sklavos and O. Koufopavlou.
Electrical and Computer Engineering Department University of Patras, Patras GREECE email:
[email protected]
ABSTRACT Security has become a very critical issue in the provision of mobile services. The Wireless Application Protocol (WAP) has specified a powerful security layer, the WTLS. The Keyed-Hash Authentication Code (HMAC) has been adopted by the WTLS in order to support the special demands for authentication with security of highlevel strength. A VLSI architecture and the FPGA implementation of HMAC for the WTLS, are proposed in this work. The introduced design is based on the SHA-1 hash function. The implementation results for both the HMAC and the SHA-1 proposed architectures are compared with other related works. From these comparisons, it is proven that the proposed system performs better in all of the cases. It is also superior to the conventional hardware implementations by using the Area-Delay product. In addition to the WAP protocol, the proposed architecture can be implemented for any authentication system of computer networks and wireless protocols, with high-performance demands and hard secure authentication needs at the same time.
1 INTRODUCTION Wireless networks intentionally radiate data, over the area that they allocate and outside of the limits that the network controls. This means that someone can passively retrieve all the transmitted information from a distance with the appropriate technical equipment. It is obvious that wireless communications as a shared medium could be easily intercepted. Encryption and authentication are always considered when developing a wireless protocol, such us WAP [1], or a mobile networking system. Especially authentication is a very critical security issue, in addition to the encryption of data transmission [2]. Every client and application server provider must be authenticated, in order both communication parties to be safely sure that the other part is the original one that it claims to be. In the most of the cases, the services need
strong authentication with certificates. Especially, in WAP security layer (WTLS), a great number of operations require the Keyed-Hash Message Authentication Code (HMAC) [3]. In this paper, a VLSI architecture of the Keyed-Hash Message Authentication Code (HMAC) for the WAP security layer is proposed. The introduced system is based on the SHA-1 hash function [4-5], which is specified by the WAP protocol. Furthermore, the proposed system can be used in authentication systems implementations of computer networks and wireless protocols in general. The proposed architecture guarantees high security level, in all the applications requiring message authentication, via the construction of a message authentication code. The security strength and the advantages of the SHA-1 hash function that the proposed architecture is based on, ensures high security level, in the implementation of this authentication scheme (HMAC). The proposed HMAC architecture is designed for a certain cryptographic function (SHA-1), which has been approved, by FIPS [4-5]. Although, with minor modifications in the proposed HMAC architecture, the selected SHA-1 can easily be replaced with any other hash function, according to the user needs and the application demands. The FPGA implementation results for both HMAC proposed architecture and the SHA-1 hash function are presented in detail, in terms of covered area, frequency and throughput. From the comparisons results with other related works on SHA-1 [6-8], it is proven that the proposed architecture performs better in all of the cases. This paper is organized as follows: in section two the WAP protocol is introduced and the dedicated to the security layer, WTLS, is described briefly. In the next section the proposed system architecture is presented in detail. The VLSI implementations synthesis results are given in section 4 and comparisons with other related works are presented. Finally, conclusions and observations are discussed in the last section.
2 WAP AND SECURITY 2.1 Wireless Application Protocol (WAP) The Wireless Application Protocol (WAP) is a new protocol for wireless devices data transmission, defined by the WAP Forum [1]. In the most of the mobile networks, the transmitted data is encrypted in the air and the complete end-to-end security is not supported in the unwired network itself. This is the major reason why in WAP an extra layer, dedicated to the security, is needed. The security layer of WAP is the Wireless Transport Layer Security (WTLS). It is the equivalent to the Transport Security Layer (TLS) in the mobile world. This certain layer introduces new features such us key refreshing, datagram support, optimized packet size and handshake. The data transmission is supported by the security levels of privacy, message integrity and authentication in the WTLS. DES and RC5 ciphers support privacy and for data integrity MD5 and SHA-1 hash functions have been selected. In authentication level the RSA, Diffie-Hellman and Elliptic Curve are used. In addition specialized security mechanisms such as HMAC and Digital Signature have been adopted by WTLS. 2.2 Hash Functions
Add Padding Bits
Append Message Length
Hi=f(Xi) Compression Function f(x)
Final Transformation G(Ht)
Input Message X
Padded Data X1 X2 ... Xt
Hash functions are used as a building block in various cryptographic applications. The most important uses are in the protection of information authentication and as a tool for digital signature schemes. A hash function is a function that maps an input of arbitrary length into a fixed number of output bits, the hash value. Hash functions can be divided into the following two basic categories: • One way hash functions: these functions should be preimage and second preimage resistant, that is it should be hard to find a message with a given hash (preimage) or that hashes to the same value as a given message (second preimage). • Collision resistant: it is one-way hash function for which it is hard to find two distinct messages that hash the same value. Most hash functions are designed to operate as iterative processes which hash input messages of arbitrary length. These functions process on fixed-size blocks of the input and produce a hash value of specified length (Fig. 1). The procedure is divided to preprocessing, compression and final transformation.
Preprocessing Iterated Processing
The preprocessing mainly appends the necessary number of bits to the input message, in order to generate the padded data block of specified length. The padded data are divided to t blocks of equal length. Each block Xi serves as input to the compression function h, which computes each time a new transformed data message Hi, as a function of the previous Hi-1 and the input Xi. After a certain number of processing rounds, the data are finally modified by the final transformation. In this way the hash value (message digest) is generated corresponding to the input message x. 3 PROPOSED SYSTEM The Keyed-Hash Message Authentication Code (HMAC) Standard [3] specifies a mechanism for message authentication using cryptographic hash functions. HMAC can be used with any iterative hash function, in combination with a shared secret key. According to the HMAC standard the SHA-1 hash function [4] is used. We assume K the secret key and H(x) the hash function, where the input message is hashed by iterating a basic compression function on blocks of data. With B=60 is denoted the byte-length of such blocks and by L=20 the byte-length of the SHA-1 output (message digest). The authentication key can be any length up to B, which is the input data block length of the hash function. Applications that longer than B bytes used keys are required, will first hash the key using the H(x) function and then use the resultant L bytes data block (hash function output) as the actual key to HMAC. In any case, the minimal recommended length for K is L bytes. In addition two fixed constants are specified: ipad and opad. In order to compute the HMAC over a data block (D), the following function is applied: HMAC(K,D)=H{(K XOR opad) || H (K XOR ipad || D)} HMAC operation can be described as a simple process of 10 steps which are depicted in Fig. 2. Steps 1-3:
Determine Ko
Step 4:
Step 5:
Ko (x) ipad
Ko (x) ipad
Step 6:
Text
Ko (x) ipad
Step 7:
Ko (x) opad
Step 8:
Ko (x) opad
H((Ko (x) ipad)) II text)
Hash Value
Step 9:
H((Ko (x) opad) II H((Ko (x) ipad)) II text)
Step 10:
MAC(text)=leftmost t bytes of H((Ko (x) opad) II H((Ko (x) ipad)) II text)
Hi-1
Figure 1: General Model of Hash Function
Figure 2: HMAC Construction
3.1 Proposed System Architecture The proposed system of the HMAC authentication unit for the WAP security layer is illustrated in Fig. 3.
Transformed Data Register
SHA-1 Unit
Control Unit Concatenation Unit
5x32-bit Padded Data 512-bit
Control Signals
Wt 32-bit
SHA-1 Address Bus (8-bit)
Key K,K0 Fixed ipad
Input Data 32-bit
Padding Unit
XOR Block
Registers
input, and produces a 160-bit condensed representation of the message, called message digest. The SHA-1 proposed architecture is illustrated in the Fig. 4.
Data Bus (128-bit)
Wt_Kt Constants Generator Unit
Fixed opad
Transformation Round Unit Kt 32-bit
Temp Data
Common Bus Interface Unit
5x32-bit Control
Control Unit
Figure 3: Proposed System Architecture
It is obvious that the HMAC proposed architecture is built on the SHA-1 hash function that has been adopted by the WAP. The control unit coordinates all the system operations according to an FSM diagram. Like the most of the system-on-chip designs the proposed HMAC architecture includes a simple common bus interface unit for communication with the external environment. Two internals buses, the address and the data bus of 8 and 128-bit respectively, have also been integrated. In addition an XOR block and a concatenation unit have also been included in this proposed HMAC architecture. The concatenation unit is necessary for all the needed appending data procedures. Finally, some registers are used, for the appropriate constants, temporary data and the used key storage reasons. The proposed HMAC architecture is designed for a specified cryptographic function (SHA-1) that has been selected by WAP protocol. Although, with minor modifications and with the addition of some extra registers, in the proposed HMAC architecture, the selected SHA-1 can easily be replaced with any other hash function. It has been estimated that all the appropriate modifications to the proposed HMAC architecture that have been described above, would have finally an allocated resources penalty increase at about 5-10 % of the total system covered area. The operating frequency of the proposed HMAC architecture it’s time is equal to the frequency of the hash function unit (SHA-1 in our case). Furthermore, detailed information of the proposed architecture VLSI implementation performance will be presented in the next section 4. 3.2 SHA-1 Hash Function Proposed Architecture SHA-1 hash function has been developed by NIST with NSA [4] in order to be used in the Digital Signature Standard [5] and wherever a secure hash algorithm is required for federal applications. SHA-1 operates on messages or data file of length<264 that is provided as
Transformed Data 160-bit
Last Transformation Unit Message Digest 160-bit
Figure 4: SHA-1 Unit Architecture
The Transformed Data Register is used for temporary storage of the transformed data, after every transformation round is performed. SHA-1 hash function specifies 80 common data transformation rounds in total. The SHA-1 Transformation Round is a specified mixed logic and mathematic nonlinear transformation function. The Last Transformation Unit finally modifies the transformed data. This unit consists of 5 modulo adders and modulo additions 232 are performed, between the input data and the five specified constants of 32-bit. In this way, the message digest is finally produced. SHA-1 sequentially processes 512-bit blocks and computes the 160-bit message digest. The purpose of Padding Unit is to make the total length of the desirable input data exactly a multiple of 512-bit. SHA-1 hash function sequentially process blocks of 512-bit when computing the message digest. The padded message is generated with the following described process: a logic “1”, followed by m “0”s, followed by a 64-bit integer are appended to the end of the input data to produce a padded message of length 512*n. The 64-bit integer is equal to the length of the input data message. A sequence of constants and some initialized processing data blocks are used in this hash function. The WT_Kt Constants Generator Unit supports these constants values. 4 VLSI IMPLEMENTATION RESULTS The proposed architecture has been captured by using VHDL. All the internal components of the design were synthesized placed and routed using XILINX FPGA devices [9]. The system then was simulated again, for the verification of the correct functionality. The synthesis results for both HMAC and SHA-1 proposed implementations are illustrated in Table 1.
Table 1: Implementations Synthesis Results
FPGA Device (v150bg352)
HMAC
SHA-1
(Used/Available)
(Used/Available)
1593 / 3072 1018 / 1728 1736 / 3072
893 / 3072 518 / 1728 1036 / 3072
Fun. Gener. CLB Slices Dffs F (MHz)
82
Furthermore, comparisons of the proposed SHA-1 implementation with other published works of the same hash function are presented in Table 2. The proposed architecture throughput is 4.3 better than the FPGA throughput and 5.9 times better compared with the ASIC implementation of the work [6]. Compared with the hardware implementation of [7] the proposed one is 6.9 times faster the term of throughput. The work of [8] is a software development in two different kinds of servers. For the first server of [8] no information is provided for the CPU clock, while the second uses a CPU clock at 133 MHz. The achieved throughputs are 4.23 and 41.51 Mbps for these two servers, respectively. The proposed SHA-1 implementation has 121 times and 12 times better throughput than the software works in [8]. Table 2: SHA-1 Implementations Comparison
Frequency (MHz) 42.9 FPGA 59 ASIC
Data Rate (Mbps) 119 86
SHA-1 [7]
37
74
SHA-1 [8]
Server 1: N/A Server 2: 133
4.23 41.51
Proposed
82
518
Implementations SHA-1 [6]
In addition, and only for the FPGA implementations of SHA-1, the Area-Delay product can be used as a comparison term for the proposed SHA-1 implementation with the other conventional works [6-7]. As it is shown in Fig. 4, the proposed architecture is superior to the other conventional FPGA implementation in all of the cases. 60 50 40 30 20 10 0 SHA-1 [6]
SHA-1 [7]
SHA-1 Proposed
Figure 4: Area-Delay Product (CLBsXnsec) Comparison
5 CONCLUSIONS In this paper, a VLSI architecture and the implementation of the Keyed-Hash Message Authentication Code (HMAC) is presented. The introduced system is used in WTLS security layer. The proposed architecture is based on the powerful SHA-1 hash function. It can also be integrated in authentication systems that are used for the implementation of computer networks and wireless protocols in general. The proposed unit guarantees high security level in all the applications, requiring message authentication, via the construction of a message authentication code based on a hash function. The proposed architecture has high-speed performance. The SHA-1 unit that the HMAC process is based on, is faster compared with other implementations, in all of the cases. The above advantages prove that the proposed system is a very efficient solution for the WAP protocol. Furthermore the proposed system can be used for all types of HMAC applications, with hard high-speed performance (LANs, Wireless Protocols), and at the same time with high-level security authentication demands. 6 REFERENCES [1] WAP Forum: “Wireless Application Protocol Architecture Specifications”, 2003. [2] Bruce Schneier, Applied Cryptography – Protocols, Algorithms and Source Code in C, Second Edition, John Wiley and Sons, New York, 1996. [3] HMAC Standard, National Institute of Standards and Technology, The Keyed-Hash Message Authentication Code (HMAC), 2003. [4] SHA-1 Standard, National Institute of Standards and Technology (NIST), Secure Hash Standard, FIPS PUB 180-1, www.itl.nist.gov/fipspubs/fip180-1.htm, 2003. [5] National Institute of Standards and Technology (NIST), Digital Signature Standard, FIPS PUB 186-2, http://csrc.nist.gov/publications/fips/fips186-2.htm, 2003. [6] S. Dominikus, “A Hardware Implementation of MD4Family Hash Algorithms”, proceedings of IEEE International Conference on Electronics Circuits and Systems (ICECS’02), Dubrovnik, Croatia, September 15-18, 2002. [7] P. Kitsos, N. Sklavos and O. Koufopavlou, "An Efficient Implementation of the Digital Signature Algorithm", proceedings of IEEE International Conference on Electronics Circuits and Systems (ICECS’02), Croatia, September 15-18, 2002. [8] Michael Roe, “Performance of Block Ciphers and Hash Functions-One Year Later”, proceedings of Second International Workshop for Fast Software Encryption ’94, Leuven, Belgium, December 14-16, 1994. [9] Xilinx, San Jose, California, USA, Virtex, 2.5 V Field Programmable Gate Arrays, www.xilinx.com, 2003.