FPGA implementation method of secure communication system

introduction

At present, the information security solution mainly focuses on taking a single measure to ensure the security of information. For various attack methods, the preventive measures are mainly concentrated on information encryption technology, security switch technology, firewall technology, authentication technology, intrusion detection technology, etc. These technologies provide better security from different aspects, but each has its own shortcomings and deficiencies, which will become the weak point of network protection. Therefore, this article also tentatively proposes an information security solution that integrates data encryption technology and access control strategy.

The hardware implementation of encryption algorithm has the characteristics of high speed, high reliability and high security, so the implementation of encryption algorithm in FPGA platform is a good hardware implementation solution. This paper builds an embedded system in Xilinx's Spartan-3e platform to realize secure network communication.

System Design

This system is designed to prevent information leakage, information tampering, illegal user intrusion and other security threats during information transmission. It is a network information security transmission system based on FPGA platform. The system adopts client/server mode, so the system mainly consists of two parts: client and server. The client, as the control center of the whole system, sends requests to the server according to actual needs and displays the received information. The server responds to the client's request and sends the corresponding information. The information between the server and the client is transmitted after encryption to ensure the security and reliability of the information.

System server design

The server uses the Spartan-3e development platform of XILINX Company, on which an embedded system based on MicrBlaze processor and Xilkernel operating system is built. In this system, the AES encryption IP, keyboard IP, LCD IP, universal expansion interface control IP are customized, and the network controller IP and serial port IP provided in EDK are added. The system structure diagram of the server is shown in Figure 1. When the server receives the request IP data packet encrypted by AES, the information needs to be decrypted by AES on the server side. According to the decrypted information, the ID information and IP information of the requester are analyzed and extracted. The ID information of the client is the unique authorization certificate number. According to the ID information of the client, corresponding processing is made.

Figure 1 System structure diagram of the server side

System server design

The client also uses the Spartan-3e development platform of XILINX, but the system only needs to customize the AES encryption and decryption IP, keyboard IP, LCD IP and add the network controller IP that comes with EDK. The system structure diagram of the client is shown in Figure 2-2. As the control center of the entire system, when the client needs to collect information, the client forms its own unique authorization ID through the md5 algorithm, and the instruction information and ID information are sent to the server after being encrypted by AES. When the server responds to its request, it makes corresponding processing according to its identity authority.

Figure 2 System structure diagram of the client

System Implementation

The system is implemented using a modular design. The system includes a client and a server. Both the client and server are implemented based on the spartan-3e platform of Xilinx.

Hardware implementation of AES algorithm

The AES algorithm is an iterative block cipher that uses a substitution/permutation network (SP). The implementation of the AES encryption algorithm includes a key expansion process and an encryption process. The implementation of the AES decryption algorithm includes a key expansion process and a decryption process. The decryption process is similar to the encryption process and is the inverse operation of the encryption process. The AES encryption and decryption process is shown in Figure 3.

Figure 3 AES encryption and decryption process

The AES encryption and decryption algorithm is implemented through hardware description language. In this system, VHDL language is used to write the code. According to the similarity of the AES encryption and decryption algorithm, many circuit modules can be shared, and the resources occupied can be as small as possible. In this system, the key length and the packet data block length are both 128 bits, and the input information is character data. The character encryption and decryption is adopted, so each character will be input according to its ASCII value. There are four main modules for AES encryption and decryption: control module, AES encryption and decryption operation module, SBOX module, and key operation module. The block diagram of the implementation is shown in Figure 3-2.
The resource utilization of the AES encryption and decryption module after ISE synthesis is shown in Table 1.

Table 1 AES encryption and decryption resource utilization table



Figure 4 AES encryption and decryption implementation block diagram

· Implementation of interface module

The server side uses the Spartan-3e platform to expand the PS2 interface, 16X2 LCD display, and three 6-pin universal expansion interfaces, which facilitate the connection and expansion of peripherals. The keyboard realizes one-way communication in this system, and the expansion interface module exchanges information with external devices through the platform universal expansion interfaces J1, J2, and J3. The Spartan-3e platform communicates through the serial port DTE and GSM module, and sends the corresponding information to the designated mobile phone via SMS.

Each interface module is added to the OPB bus by adding custom IP through EDK, among which the keyboard, LCD, and serial port DTE use interrupts. The driver completes the driver of each module based on the automatically generated driver template.

Network security detection and alarm implementation

The server side realizes network communication based on SOCKET by adding the network controller IP core in EDK and transplanting the LwIP network protocol stack. When the server side receives the client request, it decrypts the received IP data packet, analyzes the requested IP data packet, and extracts the corresponding ID information and IP information. Since the ID information is generated by the md5 algorithm, the ID is used as the unique ID of the authorized customer. It is compared with the authorized ID list according to the ID information. If it is an authorized ID, the corresponding information is encrypted and sent to the client according to the customer request; if it is an unauthorized ID, it means that there are unauthorized ID users in the network and the network is already unsafe. Then the extracted IP information is sent to the designated receiving end mobile phone through the GSM network to achieve the real-time detection and alarm function of the network.

Server-side software implementation

The server side builds an embedded system based on MicroBlaze processor and Xilkernel operating system. By expanding PS2 keyboard, LCD display and other devices, a system with good human-computer interaction interface is realized. Xilkernel operating system supports multi-threaded operation and can be flexibly applied by configuring some parameters. Although it does not have a network system, it can realize network communication based on SOCKET by transplanting LwIP protocol stack.

The design of the application mainly includes system initialization, system processing of client requests, network security monitoring and alarm, etc. The initialization of the system is mainly for the initialization of peripherals, LCD initialization work: enable interrupt function microblaze_enable_interrupts(), initialization function LCD INIT_LCD(), PS2 keyboard initialization: initialize keyboard function init_kbd(), enable interrupt function enable_interrupt(), the system calls xilkernel_main() to enter xilkernel, create socket_thread. Initialize lwip and create socket_app_thread. This thread is mainly for network parameter setting, and IP, gateway, and subnet mask are set through IP4_ADDR() function.

When the system is running, the LCD displays relevant information. When the keyboard appears to wait for the key to be entered, enter the 16-character key and confirm the key at the same time. The system calls the socket() function to create a socket and calls the listen() function to start listening.

Once a user request is received, a socket_process_thread thread is created. In the socket_process_thread thread, the relevant information of the IP data packet is extracted. First, check whether the ID sent by the client is in the authorized ID list. If the ID is correct, the data received from the wireless module is encrypted with AES and the encrypted data is sent to the client. If the ID is wrong, extract the IP in the received IP data packet, enable the GSM module, and send the extracted IP to the designated receiving end via SMS.

The software design flow chart of the entire server side is shown in Figure 5.

Figure 5 Server software flow chart

System client implementation

The system construction of the client is similar to that of the server. The principle of the system can refer to the system design of the server. The design of the application also includes the initialization of the system, the processing and decryption of customer requests, and the processing of information returned by the server. Initialize peripherals, LCD initialization: enable interrupt function microblaze_enable_interrupts(), initialize LCD function INIT_LCD(), PS2 keyboard initialization: initialize keyboard function init_kbd(), enable interrupt function enable_interrupt(). The system calls xilkernel_main() to enter xilkernel and create socket_thread. The LCD display waits for the keyboard to enter the key. After entering the key, the key needs to be confirmed again. After confirmation, the client is started. Initialize LwIP and create socket_app_thread. Configure network parameters, set IP, gateway, and subnet mask through IP4_ADDR() function. Wait for the user to press the key and submit the required data request. Call the socket() function to create a socket, connect to the server, send the authorization ID encrypted by md5, and wait for the server to respond. When the data returned by the server is received, call the AES decryption module for decryption. The data is displayed on the LCD, and the system waits for the user to request the data again. The client software flow chart is shown in Figure 3-4.

in conclusion

The system uses FPGA platform to build an embedded system based on Microblaze soft core and Xilkernel operating system. This paper mainly discusses and independently develops the following contents:

1. Introduction to the principles of AES encryption and decryption algorithm and its independent hardware implementation based on FPGA .

2. Build an embedded system based on Microblaze soft core and Xilkernel operating system, and customize the peripheral interface IP.

3. Implementation of network security detection and design and implementation of alarm mechanism through GSM network.

After unit testing and overall evaluation, each module operates well independently and meets the system design requirements. The overall system test runs smoothly and has strong reliability. It can fully meet the performance and technical requirements of actual applications.