Secure JTAG Implementation Using Schnorr Protocol

Amitabh Das¹,
Jean Da Rolt²,
Santosh Ghosh¹,
Stefaan Seys¹,
Sophie Dupuis²,
Giorgio Di Natale²,
Marie-Lise Flottes²,
Bruno Rouzeyre² &
…
Ingrid Verbauwhede¹

934 Accesses
6 Altmetric
Explore all metrics

Abstract

The standard IEEE 1149.1 (Test Access Port and Boundary-Scan Architecture, also known as JTAG port) provides a useful interface for embedded systems development, debug, and test. In an 1149.1-compatible integrated circuit, the JTAG port allows the circuit to be easily accessed from the external world, and even to control and observe the internal scan chains of the circuit. However, the JTAG port can be also exploited by attackers to mount several cryptographic attacks. In this paper we propose a novel architecture that implements a secure JTAG interface. Our JTAG scheme allows for mutual authentication between the device and the tester. In contrast to previous work, our scheme uses provably secure asymmetric-key based authentication and verification protocols. The complete scheme is implemented in hardware and integrated with the standard JTAG interface. Detailed area and timing results are also presented.

This is a preview of subscription content, log in via an institution to check access.

Access this article

Subscribe and save

Springer+ Basic

$34.99 /Month

Get 10 units per month
Download Article/Chapter or eBook
1 Unit = 1 Article or 1 Chapter
Cancel anytime

Buy Now

Price excludes VAT (USA)
Tax calculation will be finalised during checkout.

Instant access to the full article PDF.

Institutional subscriptions

Chip-to-Chip Authentication Method Based on SRAM PUF and Public Key Cryptography

Article Open access 26 November 2019

New Scan-Based Attack Using Only the Test Mode and an Input Corruption Countermeasure

Hardware Implementation of Masked SKINNY SBox with Application to AEAD

References

Batina L, Guajardo J, Kerins T, Mentens N, Tuyls P, Verbauwhede I (2006) An Elliptic Curve Processor Suitable For RFID-Tags. IACR Cryptology ePrint Archive
Batina L, Guajardo J, Kerins T, Mentens N, Tuyls P and Verbauwhede I (2006) Public-Key Cryptography for RFID-Tags. Workshop on RFID Security, pp. 61–76
Becher A, Benenson Z and Dornseif M (2006) Tampering with Motes: Real-World Physical Attacks on Wireless Sensor Networks. SPC 2006, LNCS 3934, pp. 104–118
Bernstein DJ and Lange T (2007) Faster addition and doubling on elliptic curves. ASIACRYPT 2007. LNCS 4833, pp. 29–50, Springer
Buskey RF and Frosik BB. Protected JTAG, Proceedings of the 2006 International Conference on Parallel Processing Workshops (ICPPW’06), 0-7695-2637-3/06
Clark CJ (2010) Anti-tamper JTAG TAP design enables DRM to JTAG registers and P1687 on-chip instruments. IEEE Symposium on Hardware-Oriented Security and Trust (HOST)
Cohen H, Miyaji A and Ono T (1998) Efficient elliptic curve exponentiation using mixed coordinates. ASIACRYPT '98. LNCS 1514, pp. 51–65
Explicit Formula Database http://www.hyperelliptic.org/EFD/g1p/auto-shortw.html
Ghosh S, Mukhopadhyay D and Roychowdhury D (2011) Petrel: power and timing attack resistant elliptic curve scalar multiplier based on programmable arithmetic unit. IEEE Transactions on Circuits and Systems I, Vol 58, No. 11, pp. 1798–1812
Greenemeier L (August 30, 2007) iPhone Hacks Annoy AT&T but Are Unlikely to Bruise Apple. Scientific American
Guide to Understanding JTAG Fuses and Security: An Intermediate Look at the AVR JTAG Interface. AVRFreaks.net, Sept 2002
Hankerson D, Menezes A and Vanstone S. Guide to Elliptic Curve Cryptography, pp. 262, Sample parameters
Hartung C, Balasalle J and Han R (2005) Node Compromise in Sensor Networks: The Need for Secure Systems. Technical Report CU-CS-990-05, Dept of Computer Science, Univ of Colorado at Boulder
IEEE P1687 and In-Circuit Test (ICT). Asset Intertech article, June 2011
IEEE Standard. 1149.1-1990 - IEEE Standard Test Access Port and Boundary-Scan Architecture, 1990
Itoh T, Tsujii S (1988) A fast algorithm for computing multiplicative inverses in GF(2^m) using normal bases. Inf Comput 78:171–177
Article MathSciNet MATH Google Scholar
Jovan Dj. Golic, “New Methods for Digital Generation and Postprocessing of Random Data”, IEEE Transactions on Computers, Vol. 55, No. 10, October 2006
Kern T and Feldhofer M (2010) Low-Resource ECDSA Implementation for Passive RFID Tags, ICECS
Mahmut Yilmaz and Krishnendu Chakrabarty, “Seed Selection in LFSR-Reseeding-Based Test Compression for the Detection of Small-Delay Defects”, DATE 2009
Lee YK, Sakiyama K, Batina L, Verbauwhede I (2008) Elliptic-curve-based security processor for RFID. IEEE Trans Comput 57(11):1514–1527
Article MathSciNet Google Scholar
Maestra Comprehensive Test for Satellite Testing V5. www.maestra.ca
Michael Hutter, Martin Feldhofer, Thomas Plos, “An ECDSA Processor for RFID Authentication”, RFIDSec LNCS 2010, Volume 6370, 2010, pp 189–202
Neophytou S, Michael MK, Tragoudas S “Efficient Deterministic Test Generation for BIST Schemes with LFSR Reseeding”, 12th IEEE International On-Line Testing Symposium, 2006 (IOLTS’06)
Novak F, Biasizzo A (2006) Security Extension for IEEE Std. 1149.1. J Electron Test Theory Appl 22:301–303
Article Google Scholar
Park K, Yoo SG, Kim T and Kim J (September 2010) JTAG Security System Based on Credentials. J Electron Test Theory Appl
Pierce L and Tragoudas S Multi-level secure JTAG architecture. IOLTS(2011), pp. 208–209
Rippel E Security Challenges in Embedded Designs. Discretix Technologies Ltd., Design & Reuse article. http://www.design-reuse.com/articles/20671/security-embedded-design.html
Rosenfeld K and Karri R (2010) Attacks and Defences for JTAG. IEEE Design and Test of Computers
Satoh A and Inoue T (2005) “ASIC-Hardware-Focused Comparison for Hash Functions MD5, RIPEMD-160, and SHS,” Proceedings of the International Conference on Information Technology: Coding and Computing (ITCC’05)
Schnorr CP (1990) Efficient identification and signatures for smart cards. In G Brassard, ed. Advances in Cryptology – Crypto '89, pp. 239–252, LNCS 435
Spartan-3 Generation Configuration User Guide for Extended Spartan-3A, Spartan-3E, and Spartan-3 FPGA Families. UG332 (v1.6) October 26, 2009, pp. 80
Zhanglei Wang, Krishnendu Chakrabarty, and Seongmoon Wang, “Integrated LFSR Reseeding, Test Access Optimization, and Test Scheduling for Core-Based System-on-Chip”, IEEE Transactions on Computer-Aided Design of Integrated Circuits and Systems, Vol. 28, No. 8, August 2009

Download references

Acknowledgment

This work was supported in part by the Research Council KU Leuven: GOA TENSE (GOA/11/007), by the Flemish iMinds projects, and by the European Commission through the ICT programme under contract ICT-2007-216676 ECRYPT II. In addition, this work is supported in part by the Flemish Government, FWO G.0550.12N, by the Hercules Foundation AKUL/11/19, and by the European Commission through the ICT programme under FP7-ICT-2011-8 HINT. Amitabh Das was initially funded by the Erasmus Mundus External Cooperation Window Lot 15 (EMECW15) when part of the work was performed. Santosh Ghosh is a beneficiary of a mobility grant from the Belgian Federal Science Policy Office co-funded by the Marie Curie Actions from the European Commission. The authors are thankful to Dr. Junfeng Fan (ESAT/COSIC, KU Leuven) for his useful comments in improving the paper.

Author information

Authors and Affiliations

KU Leuven and iMinds, ESAT/COSIC, Leuven, Belgium
Amitabh Das, Santosh Ghosh, Stefaan Seys & Ingrid Verbauwhede
LIRMM (Université Montpellier II/CNRS UMR 5506), Montpellier, France
Jean Da Rolt, Sophie Dupuis, Giorgio Di Natale, Marie-Lise Flottes & Bruno Rouzeyre

Authors

Amitabh Das
View author publications
You can also search for this author in PubMed Google Scholar
Jean Da Rolt
View author publications
You can also search for this author in PubMed Google Scholar
Santosh Ghosh
View author publications
You can also search for this author in PubMed Google Scholar
Stefaan Seys
View author publications
You can also search for this author in PubMed Google Scholar
Sophie Dupuis
View author publications
You can also search for this author in PubMed Google Scholar
Giorgio Di Natale
View author publications
You can also search for this author in PubMed Google Scholar
Marie-Lise Flottes
View author publications
You can also search for this author in PubMed Google Scholar
Bruno Rouzeyre
View author publications
You can also search for this author in PubMed Google Scholar
Ingrid Verbauwhede
View author publications
You can also search for this author in PubMed Google Scholar

Corresponding author

Correspondence to Amitabh Das.

Additional information

Responsible Editor : M. Tehranipoor

Appendices

Appendix A

ECC-based Schnorr Protocol

In the manufacturer environment scenario, A is the prover (Secure JTAG) and B is the verifier (Test server):

P_a is the public key of A and k_a is the private key of A, which are related by:

$$ {\mathrm{P}}_{\mathrm{a}}={\mathrm{k}}_{\mathrm{a}}.\mathrm{P} $$

where P is the initial point on the Elliptic curve (base point), which is public. k_a.P represents a point multiplication of scalar k_a with base-point P.

Goal: B wants to be ensured the identity of A, in other words A knows k_a.

Protocol:

1)
A generates a random number n_a and sends an intermediate value ‘T_a’ (point multiplication of n_a and P) to B;
$$ \begin{array}{ll}\mathrm{A}\to \mathrm{B}:\hfill & {\mathrm{T}}_{\mathrm{a}}={\mathrm{n}}_{\mathrm{a}}.\mathrm{P}\hfill \end{array} $$
2)
B generates a random number n_b and sends it to A;
$$ \begin{array}{ll}\mathrm{A}\leftarrow \mathrm{B}:\hfill & {\mathrm{n}}_{\mathrm{b}}\hfill \end{array} $$
3)
A sends ‘s’ to B;
$$ \begin{array}{ll}\mathrm{A}\to \mathrm{B}:\hfill & \mathrm{s}={\mathrm{n}}_{\mathrm{a}}+{\mathrm{k}}_{\mathrm{a}}.{\mathrm{n}}_{\mathrm{b}}\hfill \end{array} $$

Here k_a.n_b represents an integer multiplication, while ‘+’ indicates an ordinary addition.

B can verify that A is A by calculating the point multiplication of scalar s with base-point P and cross-checking it with the modular addition of ‘T_a’ with the point multiplication of n_b and P_a:

$$ \begin{array}{l}\mathrm{s}.\mathrm{P}={\mathrm{T}}_{\mathrm{a}}+{\mathrm{n}}_{\mathrm{b}}.{\mathrm{P}}_{\mathrm{a}}\hfill \\ \left({\mathrm{n}}_{\mathrm{a}}+{\mathrm{k}}_{\mathrm{a}}.{\mathrm{n}}_{\mathrm{b}}\right)\mathrm{P}=\left({\mathrm{n}}_{\mathrm{a}}.\mathrm{P}\right)+\left({\mathrm{k}}_{\mathrm{a}}.\mathrm{P}\right).{\mathrm{n}}_{\mathrm{b}}\hfill \\ {\mathrm{n}}_{\mathrm{a}}.\mathrm{P}+{\mathrm{k}}_{\mathrm{a}}.{\mathrm{n}}_{\mathrm{b}}.\mathrm{P}={\mathrm{n}}_{\mathrm{a}}.\mathrm{P}+{\mathrm{k}}_{\mathrm{a}}.{\mathrm{n}}_{\mathrm{b}}.\mathrm{P}\hfill \end{array} $$

Thus B verifies the identity of A by only knowing A’s public key P_a.

For in-the-field updates, debug and test:

A is the prover (Secure JTAG), when B is the verifier (Test server).

B is the prover (Test server), when A is the verifier (Secure JTAG).

P_a is the public key of A and k_a is the private key of A, which are related by:

P_a = k_a.P, where P is the initial point on the Elliptic curve (base point), which is public.

P_b is the public key of B and k_b is the private key of B, which are related by:

P_b = k_b.P, where P is the initial point on the Elliptic curve (base point), which is public.

Goal: B wants to be sure that A is actually A, in other words, that A knows k_a. Similarly, A wants to be sure that B is actually B, in other words, that B knows k_b.

Protocol:

1)
A generates a random number n_a, and sends it along with an intermediate value ‘T_a’ to B, which is calculated as:
$$ \begin{array}{ll}\mathrm{A}\to \mathrm{B}:\hfill & {\mathrm{T}}_{\mathrm{a}}={\mathrm{n}}_{\mathrm{a}}.\mathrm{P}\hfill \end{array} $$
2)
B generates two random number n_b and n_b’, and sends n_b along with an intermediate value ‘T_b’ to A, which is calculated as:
$$ \begin{array}{ll}\mathrm{A}\leftarrow \mathrm{B}:\hfill & {\mathrm{T}}_{\mathrm{b}}={\mathrm{n}}_{\mathrm{b}}'.\mathrm{P},\kern0.5em {\mathrm{n}}_{\mathrm{b}}\hfill \end{array} $$
3)
A generates another random number n_a’ and sends it along with sends ‘s’ to B, B sends ‘s₁’ to A:
$$ \begin{array}{l}\begin{array}{ll}\mathrm{A}\to \mathrm{B}:\hfill & \mathrm{s}={\mathrm{n}}_{\mathrm{a}}+{\mathrm{k}}_{\mathrm{a}}.{\mathrm{n}}_{\mathrm{b}},\kern0.5em {\mathrm{n}}_{\mathrm{a}}'\hfill \end{array}\hfill \\ \begin{array}{ll}\mathrm{A}\leftarrow \mathrm{B}:\hfill & {\mathrm{s}}_1={\mathrm{n}}_{\mathrm{b}}'+{\mathrm{k}}_{\mathrm{b}}.{\mathrm{n}}_{\mathrm{a}}'\hfill \end{array}\hfill \end{array} $$

B can verify that A is A by calculating:

$$ \begin{array}{l}\mathrm{s}.\mathrm{P}={\mathrm{T}}_{\mathrm{a}}+{\mathrm{n}}_{\mathrm{b}}.{\mathrm{P}}_{\mathrm{a}}\hfill \\ \left({\mathrm{n}}_{\mathrm{a}}+{\mathrm{k}}_{\mathrm{a}}.{\mathrm{n}}_{\mathrm{b}}\right).\mathrm{P}=\left({\mathrm{n}}_{\mathrm{a}}.\mathrm{P}\right)+{\mathrm{n}}_{\mathrm{b}}.\left({\mathrm{k}}_{\mathrm{a}}.\mathrm{P}\right)\hfill \\ {\mathrm{n}}_{\mathrm{a}}.\mathrm{P}+{\mathrm{k}}_{\mathrm{a}}.{\mathrm{n}}_{\mathrm{b}}.\mathrm{P}={\mathrm{n}}_{\mathrm{a}}.\mathrm{P}+{\mathrm{n}}_{\mathrm{b}}.{\mathrm{k}}_{\mathrm{a}}.\mathrm{P}\hfill \end{array} $$

Similarly, A can verify that B is B by calculating:

$$ \begin{array}{l}{\mathrm{s}}_1.\mathrm{P}={\mathrm{T}}_{\mathrm{b}}+{\mathrm{n}}_{\mathrm{a}}'.{\mathrm{P}}_{\mathrm{b}}\hfill \\ \left({\mathrm{n}}_{\mathrm{b}}'+{\mathrm{k}}_{\mathrm{b}}.{\mathrm{n}}_{\mathrm{a}}'\right).\mathrm{P}=\left({\mathrm{n}}_{\mathrm{b}}'.\mathrm{P}\right)+{\mathrm{n}}_{\mathrm{a}}'.\left({\mathrm{k}}_{\mathrm{b}}.\mathrm{P}\right)\hfill \\ {\mathrm{n}}_{\mathrm{b}}'.\mathrm{P}+{\mathrm{k}}_{\mathrm{b}}.{\mathrm{n}}_{\mathrm{a}}'.\mathrm{P}={\mathrm{n}}_{\mathrm{b}}'.\mathrm{P}+{\mathrm{n}}_{\mathrm{a}}'.{\mathrm{k}}_{\mathrm{b}}.\mathrm{P}\hfill \end{array} $$

Thus B verifies the identity of A by only knowing A’s public key P_a, and A verifies the identity of B by only knowing B’s public key P_b.

Moreover, n_a.n_b’.P can be used as a session key K to encrypt all future communication between the security chip and test server. The reason behind this is that A knows n_a.P and n_b’, while B knows n_a and n_b’.P from which they can construct K, but any unauthorized party cannot do so. This may be particularly useful for instance, in the case of pay-TV updates happening on the set-top box from a remote server using a network communication, where an eavesdropper can listen to the channel in between.

Appendix B

ECC based Schnorr for secure JTAG

The execution of the Schnorr protocol is now explained in some detail using the block diagram below:

1)
First, the JTAG public key Pa is calculated. For this, the ECC controller module sends the private JTAG key k_a (from on-chip storage) and the base point coordinates and other curve parameters (prime number, R*R mod n) from the non-volatile memory to the ECC point multiplier module. It then instructs the point multiplier module to start an ECC point multiplication operation.
2)
The ECC point multiplier then performs a point multiplication of the scalar k_a with the base point P and returns the result (P_a) back to the ECC controller module. This result is stored in a 192-bit temporary register inside the controller module.
3)
A 192-bit random number n_a is generated by the on-chip random-number generator and sent to the ECC controller module.
4)
The ECC controller module then sends this n_a and the base point coordinates and other curve parameters from the non-volatile memory to the ECC point multiplier module. It then instructs the point multiplier module to start an ECC point multiplication operation.
5)
The ECC point multiplier then performs a point multiplication of the scalar n_a with the base point P and returns the result (‘T_a’) back to the ECC controller module. This result is stored in another temporary register inside the controller module.
6)
The test server then generates a 192-bit random number n_b and sends this to the JTAG module bit-by-bit through the TDI input. This is then stored in the 192-bit shift (data) register of the JTAG.
7)
n_b and the private key of the JTAG (k_a) are transferred to the ECC.
8)
For the integer multiplication of k_a with n_b, the ECC controller instructs the arithmetic module inside the point multiplier module to perform a modular multiplication of k_a with n_b using the ‘order of the prime’ (fetched from the non-volatile memory storage of curve parameters) as the modulus (this is equivalent to integer multiplication of k_a with n_b). The result is stored back in a 192-bit register inside the ECC controller module.
9)
A modular addition of n_a with k_a.n_b is then performed in the arithmetic block inside the point multiplier module. For this, the appropriate control is provided from the ECC controller which also stores the result of the computation (‘s’) in the same 192-bit register.
10)
The ECC controller module then sends ‘s’ and the base point coordinates and other curve parameters from the non-volatile memory to the ECC point multiplier module. It then instructs the point multiplier module to start an ECC point multiplication operation.
11)
The ECC point multiplier then performs a point multiplication of the scalar ‘s’ with the base point P and returns the result back to the ECC controller module. This result is stored in the same register inside the controller module.
12)
Next, the ECC controller module then sends n_b and the public key of the JTAG (P_a) and other curve parameters from the non-volatile memory to the ECC point multiplier module. It then instructs the point multiplier module to start an ECC point multiplication operation.
13)
The ECC point multiplier then performs a point multiplication of the scalar n_b with P_a and returns the result back to the ECC controller module. This result is stored in another temporary register inside the controller module.
14)
A modular addition of the stored ‘T_a’ with n_b.P_a is then performed in the arithmetic block inside the point multiplier module. For this, the appropriate control is provided from the ECC controller which also stores the result of the computation in the same 192-bit register.
15)
The result of the above computation (T_a + n_b.P_a) is then compared with s.P computed and stored earlier inside the comparator module in the ECC controller module. If they match, then only the JTAG is allowed to enter the test and debug modes, otherwise it remains in the bypass mode.

Appendix C

Point Addition and Point Doubling in Affine Coordinates:

When P = (x_P,y_P) and Q = (x_Q,y_Q) are not negative of each other, then P + Q = R where

$$ \begin{array}{l}\mathrm{s}=\left({\mathrm{y}}_{\mathrm{P}}-{\mathrm{y}}_{\mathrm{Q}}\right)\Big/\left({\mathrm{x}}_{\mathrm{P}}-{\mathrm{x}}_{\mathrm{Q}}\right)\hfill \\ {\mathrm{x}}_{\mathrm{R}}={\mathrm{s}}^2-{\mathrm{x}}_{\mathrm{P}}-{\mathrm{x}}_{\mathrm{Q}}\kern0.5em \mathrm{and}\kern0.5em {\mathrm{y}}_{\mathrm{R}}=-{\mathrm{y}}_{\mathrm{P}}+\mathrm{s}\left({\mathrm{x}}_{\mathrm{P}}-{\mathrm{x}}_{\mathrm{R}}\right)\hfill \end{array} $$

Note that s is the slope of the line through P and Q.

Similarly, When y_P is not 0, then 2P = R where

$$ \begin{array}{l}\mathrm{s}=\left(3{\mathrm{x}}_{\mathrm{P}}{}^2+\mathrm{a}\right)\Big/\left(2{\mathrm{y}}_{\mathrm{P}}\right)\hfill \\ {\mathrm{x}}_{\mathrm{R}}={\mathrm{s}}^2-2{\mathrm{x}}_{\mathrm{P}}\kern0.5em \mathrm{and}\kern0.5em {\mathrm{y}}_{\mathrm{R}}=-{\mathrm{y}}_{\mathrm{P}}+\mathrm{s}\left({\mathrm{x}}_{\mathrm{P}}-{\mathrm{x}}_{\mathrm{R}}\right)\hfill \end{array} $$

Recall that ‘a’ is one of the parameters chosen with the elliptic curve and that s is the tangent on the point P.

Formulae for ECC Point Addition and Doubling in Projective Coordinates:

Table 4 Explicit formulae

Full size table

Appendix D

Appendix E

Modular adder/subtractor

A “naïve” implementation of a modular addition A+B mod P is presented in Fig. 5.a; it consists in computing A+B, and then subtracting P to this result. A comparison between these two intermediate results allows choosing which one to use for the final result. However, this comparator could be avoided by observing the carry (borrow) out signal of addition (subtraction) which could be realized by a single OR gate (instead of a 192-bit comparator) such as presented in Fig. 5.b. Concerning the subtraction, the principle is the same: computing A-B and then A-B+P, and comparing these intermediate results to choose which one to use for the final result. A naïve and an optimized version of the subtraction are presented in Fig. 5.c and d.

The two optimized versions (Fig. 5.b and d) have been combined to produce an optimized modular adder/subtractor block such as depicted in Fig. 5.e. In this architecture an input (op_type) is used to generate whether an addition or a subtraction (put to 1 for an addition and 0 for a subtraction). This architecture uses two adder/subtractor blocks (i.e., an addition combined with the inversion (or not) of the second operand using XOR gates and the input carry to ‘1’ (or ‘0’)) and the optimized comparison implementation depicted earlier. Concerning the architecture used for the additions/subtractions, we have used the library provided by the synthesizer which includes highly optimized RTL for arithmetic building blocks.

In the end, an efficient adder architecture combined with an optimized comparison implantation have led us optimize the area of more than 90 %, by comparison with the area obtained from a VHDL file directly generated by our Gezel implementation.

Appendix F

16-cycle JTAG TAP Controller State Diagram

Rights and permissions

Reprints and permissions

About this article

Cite this article

Das, A., Da Rolt, J., Ghosh, S. et al. Secure JTAG Implementation Using Schnorr Protocol. J Electron Test 29, 193–209 (2013). https://doi.org/10.1007/s10836-013-5369-9

Download citation

Received: 30 May 2012
Accepted: 08 March 2013
Published: 24 March 2013
Issue Date: April 2013
DOI: https://doi.org/10.1007/s10836-013-5369-9