Design of encryption protection system for DSP program

At present, DSP has become a basic device in the fields of communication, computer, consumer electronics, etc. with its excellent performance and unique characteristics. At the same time, with the emphasis on intellectual property rights, when using DSP for product design, how to protect one's own achievements and prevent decryptors from stealing has also become an important aspect of the designer's work [1,2]. If the product is mass-produced, the operating program and data can be written into the chip using mask technology and other processes so that they cannot be read out, thus achieving the effect of protection. For products that have not yet formed a scale, using such a method will greatly increase the cost. Therefore, this paper proposes a method to construct an encryption system using algorithms such as 3DES, Geff generator and MD5 to protect DSP programs.

1 Encryption principle and hardware structure

1.1 Encryption principle

The encryption principle of this system can be divided into two levels. The first is the initial protection of the program, that is, before writing the program into the DSP chip, the source code is encrypted and then the ciphertext is written into the chip. In this way, there is no source code in plain text in the chip. When the program is to be run, the key is taken out from the microdog for decryption and then the program continues to run. The second level is the continuous protection during the running of the DSP program. Its processing object is some important parameters or variables. By "locking", they are always in the program in ciphertext form. Only when these data are needed, the key is taken out from the microdog for decryption. After use, it is still "locked" for protection so that it is still in ciphertext form.

1.2 Hardware structure

In this encryption system, a microdog is required to implement key management. If the original DSP system already has an EPLD, CPLD or microcontroller with encryption bits, you can use the existing resources to design them as microdogs, and no additional hardware support is required. Otherwise, you might as well use a microcontroller to complete the microdog function. This is determined by its good cost performance.

2 Working process and key management

According to the encryption principle, the working process of this system is also divided into two levels. First, it is the initial program protection, which takes the program as a whole as the processing object. Then, it is the continuous protection based on data. The protection object is some important parameter variables. It ensures that encryption runs through the entire process of program operation. In the working process, key management is very critical. It can be said that the security of this system is reflected in key management.

2.1 Initial program protection

The encryption algorithm used for initial program protection is the 3DES algorithm. After the encryption is completed, the key is destroyed and the ciphertext is written into the chip. In this way, there is no plain text form of the program in the chip, which can prevent others from obtaining the program source code through simple disassembly. When the DSP program starts running, under the control of the DSP monitoring program, the corresponding key is taken out from the micro dog, and the source code is decrypted and restored.

Micro dog mainly implements the key management function. The internal key generation mechanism is exactly the same as the main program. When the main program is written into the DSP chip in ciphertext, the monitoring program informs the microdog, and the corresponding key K0 is generated inside the microdog at the same time; when the main program starts running, the key K0 is taken out from the microdog under the control of the monitoring program, decrypted, and the plaintext source code is obtained.

However, since there is only one key, the decryptor can easily obtain the key by intercepting the communication data between the DSP and the microdog. Once the key is obtained, this protection system is useless. Therefore, we have adopted data-driven continuous protection.

2.2 Data-driven continuous protection

The so-called data-driven continuous protection is to encrypt the important parameters or variables in the program. Since these parameters or variables need to be used repeatedly when the program is running. Therefore, by protecting them, the encryption can be used throughout the entire running process of the program.

For example, the protection of the filter coefficient ap is to encrypt it, that is, "lock it", and destroy the key at the same time. When calculating ap+1, ap is needed, and an application is sent to the monitoring program. Under its control, the corresponding key is taken out from the microdog, consumed, and ap is restored to perform calculations. After the operation is completed, ap and ap+1 are "locked", saved, and the DSP main program continues to execute. In this way, the ciphertext exists in the DSP main program at the same time by constantly "locking" and "unlocking".

At this time, the generation of the key in the microdog must be "synchronized" with the encryption processing in the DSP main program, that is, the encryption key of the main program must be the same as the corresponding key generated in the microdog. This can be achieved by the DSP monitoring program using the internal interrupt program of the DSP. After the encryption of a parameter or variable using the key Ki is completed, the monitoring program is informed of the encryption completion through an interrupt, and then the key is locked and destroyed. When the DSP program continues to execute, if the parameter or variable needs to be used, a request is sent to the monitoring program, and under the control of the monitoring program, the corresponding key Ki is taken out from the microdog and decrypted. The specific process is shown in Figure 1.

Among them, a and b are data exchanges between the main program and the DSP monitoring program, including calling and answering each other; c is the control of the DSP monitoring program on the microdog, issuing certain commands; d is the main program taking out the corresponding key from the microdog under the control of the DSP monitoring program.

The microdog arranges the generated keys in sequence and then waits for the main program to take the keys. Whether it is initial program protection or continuous protection based on data, it is only controlled by the monitoring program. This ensures that the main program obtains the correct key.

After adding continuous protection, the decryptor must track the entire running process of the program in order to obtain the source code. In this way, for the decryptor, the cost is equivalent to writing a set of programs independently, and obviously the need for decryption is lost.

2.3 Detail processing

In addition to the above protection measures, you can also use some programming skills, be careful in details, and write a "dazzling" program. Otherwise, the decryptor may not have to track it completely to obtain the source program. Because the purpose is to confuse others, you have to try to destroy the readability of the program. For example, disrupt the normal order of the program to make it appear chaotic; insert useless codes at the right time and place to increase interference; make the names of parameter variables obscure and difficult to understand, and never use names such as key and digest that can be understood by literal meaning. In short, the decryptor should be confused about the content obtained to increase the difficulty of restoring the source program.

3 Related algorithms and key generation mechanism

The encryption algorithm of this system is 3DES, which is a symmetric algorithm. Its security can be said to be completely reflected in the key. Therefore, how to generate a "secure" key is crucial. In the key generation mechanism, the Geffe generator and MD5 algorithm are used.

3.1 Related Algorithms [3]

(1) 3DES Algorithm

The Data Encryption Standard DES (Data Encryption Standard) was created in the 1970s. After more than 20 years of use, it is still a global encryption standard. This shows that its security is quite high. It is a block encryption algorithm that encrypts data in 64-bit blocks. The length of the key K is also 64 bits and can be any number. The DES algorithm is symmetric, and the same algorithm and key are used for encryption and decryption (except for the different key arrangement order). Therefore, it can be said that the confidentiality of the DES algorithm is completely dependent on the key K.

At present, the most effective way to crack DES is to use brute force attack. The reason why DES is no longer secure is that its key is short. With today's computing technology, the amount of calculation is not very large. However, if the length of the key is increased, its security can be enhanced accordingly. 3DES is based on this principle. When encrypting, two different keys K1 and K2 are used to encrypt a block three times. That is to say, first encrypt with key K1, then decrypt with key K2, and finally encrypt with key K1; when decrypting, first decrypt with key K1, then encrypt with key K2, and finally decrypt with key K1.

The calculation formula is as follows:

C=E1(D2(E1(P))) (1)

P=D1(E1(D1(C))) (2)

Among them, P is plain text and C is cipher text. Ei() is the encryption function and Di() is the decryption function.

(2) Geffe generator

Geffe generator is a key sequence generator that uses a linear feedback shift register LFSR (Linear Feedback Shift Register) to generate a sequence password. The output of the LFSR is the m sequence, which is a pseudo-random sequence. The Geffe generator uses three LFSRs, which are combined in a non-linear manner. Among them, two LFSRs are used as the input of the compounder, and the third LFSR controls the output of the compounder. Using a correlation attack, it is not difficult to crack the Geffe generator, so it cannot be directly used as the key of the 3DES algorithm. Therefore, it is digested here.

(3) MD5 algorithm

MD5 (Message Digest) algorithm is an authentication algorithm standard designed and invented by Ron Rivest, a cryptographer at MIT and one of the inventors of the RSA algorithm. The MD5 algorithm was completed in 1992. It can input a message of any length and obtain a 128-bit output. This algorithm can ensure that the probability of two different messages generating the same digest is very small, and it is extremely difficult to reversely find the corresponding message from a given digest. Therefore, using the digest as the key can not only ensure randomness, but also improve security.

3.2 Key Generation Mechanism

Whether from the 3DES algorithm itself or from the encryption principle of the system, the key generation mechanism is crucial. Therefore, it is necessary to ensure that the key used is safe. Its security is reflected in two aspects: one is that the key itself is random; the other is the key management mechanism. The key generation process is as

follows: first, a random sequence is obtained by the Geffe generator, and then the digest is obtained through the MD5 algorithm. The 128-bit data obtained is the combination of key K1 and key K2. It can be seen from the Geffe generator and the MD5 algorithm principle that the key generated in this way is random. It

can be seen from the working process of the system that the key management is safe. This is because in the main program, after the encryption is completed, the key is destroyed immediately, and the key is not retained in the main program; when the key is used, it is obtained from the micro dog through the monitoring program. The micro dog and DSP are physically separated, which ensures the security of key storage. 4 Result Analysis Strictly speaking, this method does not belong to encryption, but is just a means of protection - using a few simple methods, combined with the characteristics of DSP and single-chip microcomputer, to construct a protection system. Even its effectiveness can be analyzed from two aspects. 4.1 Security Analysis Since it is a protection method, security is the most important indicator. From the encryption principle and working process of this system, it can be seen that security can be protected. The 3DES algorithm is a very good encryption algorithm both in theory and in practice. Although the algorithm can be cracked by exhaustive attack, it requires 2 112 exhaustive attacks, and the cost is too high, which can be said to be not worth the loss. Therefore, as long as the security of the key is guaranteed, this protection system can be considered complete. From the perspective of the key generation process and management mechanism, the key is safe. 4.2 Performance Analysis[4~6]

This protection method is very fast, because the 3DES algorithm is a combination of chaos and diffusion, and only uses standard arithmetic and logical operations. The Geffe generator and MD5 algorithm also mainly use logical operations, which are very convenient to implement with DSP or single-chip microcomputer. For example, for TMS320VC5402, the Geffe generator needs 296,544 cycles to generate a 64-word pseudo-random sequence, and MD5 needs 3400 cycles to process a 64-word message, which takes 2965ms and 0.003ms respectively.

Therefore, we only use some simple algorithms, combined with DSP and a microdog, to construct a DSP program protection system, and get good results at a small cost, which is still worth it.