 Open Access
 Total Downloads : 155
 Authors : Naisy Mol S, Sharath Raj S
 Paper ID : IJERTV3IS030572
 Volume & Issue : Volume 03, Issue 03 (March 2014)
 Published (First Online): 20032014
 ISSN (Online) : 22780181
 Publisher Name : IJERT
 License: This work is licensed under a Creative Commons Attribution 4.0 International License
Design of an HMAC CoProcessor Unit Based on SHA2 Family of Hash Functions
Naisy Mol S.
PG Scholar,VLSI & Embedded Systems Dept.of Electronics and Communication TKM Institute of Technology
Kollam, India
Sarath Raj S.
Associate Professor
Dept. of Electronics and Biomedical TKM Institute Of Technology Kollam,Kerala,India
Abstract Cryptography entails the design of algorithms for encryption and decryption, intended to ensure the secrecy and authenticity of messages in communication systems. The Secure Hash Algorithm (SHA) is a family of cryptographic hash functions published by NIST. SHA2 is a family of two similar hash functions, with different block sizes, known as SHA256 and SHA512.Secure hash algorithms are typically used with other cryptographic algorithms, such as digital signature algorithms and keyedhash message authentication codes. Hashbased Message Authentication Code (HMAC) is a mechanism for message authentication using cryptographic hash functions. This paper aims to design an efficient HMAC cryptoprocessor unit for cryptographic applications such as spacecrafts, email, electronic fund transfer, etc. In order to facilitate the computation of message digests, the HMAC module provides a direct interface with the builtin SHA2 core through input and output ports. The coding is done in VHDL language, synthesized using Xilinx ISE 13.2 and simulated using ModelSim SE 6.2c.
Keywords Cryptographic hash functions, Crypto processor, SHA256 , HMAC.

INTRODUCTION
The growing demand of secure highspeed digital communications has demanded the inclusion of cryptographic primitives into system design. Since cryptographic processing is usually not lightweight, some applications delegate those tasks to specific hardware modules. One of the most important requirements to be satisfied in secure communications is data integrity and data origin authentication. In order to satisfy those security requirements, the U.S. National Institute of Standards and Technology (NIST) recommends the use of the KeyedHash Message Authentication Code(HMAC) based on the Secure Hash Standard (SHS).
Several standards and protocols employ SHS and HMAC. For instance, the Digital Signature Standard (DSS) utilizes SHA to compute message digests and generate random numbers. Furthermore, HMAC along with SHS is employed in the Transport Layer Security Protocol (TLS) and Security Architecture for the Internet Protocol (IPsec). More specifically, those algorithms are used to perform data origin authentication and integrity verification for the IPSec Authentication Header(AH), Encapsulating Security Payload (ESP), and Internet Key Exchange Protocol(IKE and IKEv2). The security of the algorithms and protocols depends directly on the cryptographic strength of the underlying hash functions. Due to efficient collision search attacks against SHA1 and MD5 hash functions, more secure hash algorithms of SHS, such as SHA2 has gain more importance. To address the ongoing demand of higher levels of security, a highperformance HMAC/SHA2 processor is introduced. This project aims to design an efficient SHA256 core for cryptographic applications such as space crafts, email, electronic fund transfer, etc..
This paper is organized as follows. Section 2 focuses on cryptographic hash functions, Secure Hash Standard(SHS) and Algorithm descriptions. In Section 3, proposed method; design of HMAC coprocessor unit based on SHA2 family.ie,SHA 256 is preferred for hash computation in HMAC. In section 4, the simulation results of the proposed techniques were discussed. Conclusions and ongoing works are discussed in section 5.

LITERATURE REVIEW

Cryptography and Hash functions
Cryptography is the science of secret writing with the goal of hiding the meaning of a message. It seems closely linked to modern electronic communication. Cryptography itself splits into three main branches: Symmetric Algorithms, Asymmetric (or PublicKey) Algorithms and Cryptographic Protocols. In Symmetric Algorithms ,two parties have an encryption and decryption method for which they share a
secret key. All cryptography from ancient times until 1976 was exclusively based on symmetric methods. Symmetric ciphers are still in wide spread use, especially for data encryption and integrity check of messages. In publickey cryptography, a user possesses a secret key as in symmetric cryptography but also a public key. Asymmetric algorithms can be used for applications such as digital signatures and key establishment, and also for classical data encryption. Cryptographic Protocols deals with the application of cryptographic algorithms, Symmetric and asymmetric algorithms. Cryptanalysis is the science and sometimes art of breaking cryptosystems. It is the only way to assure that a cryptosystem is secure, and it is an integral part of cryptology[6].
Hash functions are an important cryptographic primitive and are widely used in protocols. They compute a digest of a message which is a short, fixedlength bit string. For a particular message, the message digest, or hash value, can be seen as the finger print of a message, i.e., a unique representation of a message. Unlike all other crypto algorithms introduced, hash functions do not have a key. The use of hash functions in cryptography is manifold: Hash functions are an essential part of digital signature schemes and message authentication codes. Hash functions are also widely used for other cryptographic applications, e.g., for storing of password hashes or key derivation[6].

Secure Hash Standard (SHS)
This Standard specifies five secure hash algorithms, SHA 1, SHA224, SHA256, SHA384, and SHA512. All five of
the algorithms are iterative, oneway hash functions that can process a message to produce a condensed representation called a message digest. These algorithms enable the determination of a messages integrity: any change to the message will, with a very high probability, result in a different message digest. This property is useful in the generation and verification of digital signatures and message authentication codes, and in the generation of random numbers or bits[2].
Each algorithm can be described in two stages: preprocessing and hash computation. Preprocessing involves padding a message, parsing the padded message into mbit blocks, and setting initialization values to be used in the hash computation. The hash computation generates a message schedule from the padded message and uses that schedule, along with functions, constants, and word operations to iteratively generate a series of hash values. The final hash value generated by the hash computation is used to determine the message digest.
The five algorithms differ most significantly in the security strengths that are provided for the data being hashed. The security strengths of these five hash functions depends on cryptographic algorithms, such as digital signature algorithms and keyedhash message authentication codes. Additionally, the five algorithms differ in terms of the size of the blocks and words of data that are used during hashing. Table 2.1 presents the basic properties of these hash algorithms.
The five hash algorithms specified in this Standard are called secure because, for a given algorithm, it is computationally infeasible to find a message that corresponds to a given message digest and also infeasible to find two
different messages that produce the same message digest. Any change to a message will result in a different message digest. This will result in a verificaion failure when the secure hash algorithm is used with a digital signature algorithm or a keyedhash message authentication algorithm.
Table 2.1 : Secure Hash Algorithm Properties
Algorithm
Message Size (bits)
Block Size (bits)
Word Size (bits)
Message digest size (bits)
SHA1
<264
512
32
160
SHA224
<264
512
32
224
SHA256
<264
512
32
256
SHA384
<264
1024
64
384
SHA512
<264
1024
64
512

Algorithms and Descriptions
One of the goals of the HMAC algorithm is to be independent of a given hash function, so that the latter can be easily replaced with faster and more secure algorithms. Besides, the underlying hash function constitutes the core of the HMAC algorithm, and dictates its security level. Since this paper proposes an HMAC cryptoprocessor unit based on SHA2, both algorithms are presented in this section.
SHA2 Algorithm
The SHA2 family of hash functions comprises four algorithms, namely, SHA224, SHA256, SHA384, and SHA512.The execution of SHA2 algorithms is divided into two parts: Preprocessing and Hash computation. A list of SHA2 parameters is presented in table 2.2, whereas SHA2 symbols are listed below:
B : SHA2 input block size (in bits);
L : SHA2 message digest size (in bits); D :Data path width (in bits);
N : Number of message blocks;
i : Message block index, where 1 i N; j : Number of algorithm iterations;
t : Iteration index, where 0 t j 1; M(1),,M(N) : Message blocks;
,, : Initial hash values;
,., : Intermediate hash values; W0,,Wj: Message schedule words; A,, h : Working variables;
K0,,Kj: Constants.
Table 2.2 : SHA2 algorithm parameters
parameter
SHA
224
SHA
256
SHA
384
SHA
512
B
512
512
1024
1024
L
224
256
384
512
D
32
32
64
64
J
64
64
80
80
Symbols and Operations
The following symbols are used in the secure hash algorithm specifications; each operates on wbit words.
Bitwise AND operation.
Bitwise OR (inclusiveOR) operation.
Bitwise XOR (exclusiveOR) operation.
Â¬ Bitwise complement operation.
+ Addition modulo 2w.
<< Leftshift operation, where x <<n is obtained by discarding the leftmost n bits of the word x and then padding the result with n zeroes on the right.
>> Rightshift operation, where x >>n is obtained by discarding the rightmost n bits of the word x and then padding the result with n zeroes on the left.
The following operations are used in the secure hash algorithm specifications:
ROTLn(x) The rotate left (circular left shift) operation, where x is a wbit word and n is an integer with 0 n <w, is defined by ROTL n(x)=(x <<n) (x >>w – n).
ROTRn(x) The rotate right (circular right shift) operation, where x is a wbit word and n is an integer with 0 n <w, is defined by ROTR n(x)=(x >>n) (x <<w – n).
SHRn(x) The right shift operation, where x is a wbit word and n is an integer with 0n <w, is defined by SHR n(x)=x
>>n.
Hash Computation
The hash computation is based on operations over Dbit words. The number of iterations performed by the algorithm is given by j. For SHA224/256, j = 64, whereas for SHA 384/512, j = 80. Actually, j can be considered to represent the number of Dbit words processed by the algorithm. More specifically, the SHA2 algorithms comprise j message schedule words (W0,..,Wj), eight working variables (a, b, c, d, e, f, g, h), and eight intermediate hash values ,,). Additionally, six logical functions are employed.RORn(x) and SHRn(x) correspond to, respectively, a rotation and a shift of
x by n bits to the right. Besides, represents the bitwise XOR operation, the bitwise AND operation, and Â¬x the bitwise complement of x[2].
After preprocessing is completed, each message block, M(1),M(2),,M(N), is processed in order, using the following steps:
For i=1 to N
{

Prepare the message schedule
t
Wt= M (i) 0 t 15
16 t 63

Initialize the eight working variables a =
b = c = d = e =
f = g = h =

For t=0 to 63
{
T1 = h+ + Ch(e,f,g) + +
T2 = + Maj(a,b,c) h=g
g=f f=e
e=d+ T1 d=c
c=b b=a
a= T1 + T2
}

Compute theith intermediate hash value H(i):
= a +
= b +
= c +
= d +
=e +
= f +
= g +
= h +
}
After repeating steps one through four a total of N times (i.e., after processing M(N)), the resulting 256bit message digest of the message, M, is
HMAC Algorithm
The HMAC algorithm processes two inputs, a cryptographic key and a message, to produce message authentication code(MAC). The combination of HMAC with SHA2 is denoted as HMAC/SHA2. Individual combinations of HMAC with the four SHA2 algorithms are denoted as HMAC/SHA224, HMAC/SHA256,HMAC/SHA384,and
HMAC/SHA512. Due to certain commonalities between SHA224 and SHA256, as well as between SHA384 and SHA512, the algorithms can also be referred to as HMAC/SHA224/256 and HMAC/SHA384/512[5].
HMAC Parameters and Symbols
B : SHA2 input block size (in bits);
L : SHA2 message digest size (in bits);
Key : Secret key of the communicating parties; K : Size of the Key (in bits);
K0 :Key after any necessary preprocessing; Ipad: (Inner pad) Byte 0x36 repeated B=8 times;
Opad: (Outer pad) Byte 0x5C repeated B=8 times; Text : The data on which the HMAC is calculated; Hash(V ) : Hash of variable/value V ;
(0..)z: Padding with z zeros.
Parameters B and L are inherited from SHA2. The Text can be n bits long, where 0 n <2B8 – B, whereas the size of a MAC is L bits long. The HMAC algorithm is consisted of seven steps as shown below. Notice that the hashes computed in Step IV and Steps VII can be split into two parts to facilitate its implementation.
HMAC Algorithm Steps
Step I: Preprocess key as follows K0= Key, k=B
Key(0..)BK k<B
Hash(key) (0..)BL k>B Step II: Compute (K0Ipad).
Step III: Do (K0Ipad)Text Step IV: Hash((K0Ipad) Text) StepV : Compute (K0Opad)
StepVI : Do (K0Opad)Hash((K0Ipad) Text) StepVII: Hash((K0Opad)Hash((K0Ipad)
" Text))
Step VII produces the MAC of the message digest.A common practice is to truncate the MAC by using only its
tleftmost bits. Here, MAC is L bits long, and any truncation is performed at the user level. To compute a MAC over the data text using the HMAC function, the following operation is performed:
MAC(text)t= HMAC(K, text)t = H((K0Opad) H((K0Ipad)  text))t


Message Authentication Codes
A Message Authentication Code (MAC), also known as a cryptographic checksum or a keyed hash function, is widely used in practice. In terms of security functionality, MACs share some properties with digital sgnatures, since they also provide message integrity and message authentication. However, unlike digital signatures, MACs are symmetrickey schemes and they do not provide nonrepudiation. One advantage of MACs is that they are much faster than digital signatures since they are based on either block ciphers or hash functions. Similar to digital signatures, MACs append an authentication tag to a message. The crucial difference between MACs and digital signatures is that MACs use a symmetric key k for both generating the authentication tag and verifying it. A MAC is a function of the symmetric key
k and the message x
i.e., m =MACk(x)
The principle of the MAC calculation and verification is shown in Figure 1.The motivation for using MACs is typically that sender and receiver want to be assured that any manipulations of a message in transit are detected. For this, sender computes the MAC as a function of the message and the shared secret key key. Sender sends both the message and the authentication tag MAC to receiver. Upon receiving the message and MAC, receiver verifies both. Since this is a
symmetric setup, receiver simply repeats the steps that sender conducted when sending the message. Receiver merely recomputes the authentication tag with the received message and the symmetric key.
Fig. 1. principle of MACs
The underlying assumption of this system is that the MAC computation will yield an incorrect result if the message was altered in transit. Hence, message integrity is provided as a security service. Furthermore, receiver is now assured that sender was the originator of the message since only the two parties with the same secret key have the possibility to compute the MAC. If an adversary, intruder, changes the message during transmission, he cannot simply compute a valid MAC since he lacks the secret key. Any malicious or accidental (e.g., due to transmission errors) forgery of the message will be detected by the receiver due to a failed verification of the MAC.


PROPOSED METHOD
In practice, message authentication codes are constructed in essentially two different ways from block ciphers or from hash functions. One possible construction, named HMAC, has become very popular in practice over the last decade. This section presents the HMAC coprocessor unit based on the SHS, and comprising the entire SHA2 family of hash functions. Therefore, the proposed coprocessor unit provides applications with much higher levels of security than previous works. In hash computation, the HMAC module allows the user to interface directly with the builtin SHA2 core through the ports Key_Text_In and Msg_Digest_MAC_Out. The proposed HMAC architecture consists of a SHA2core, multiplexors, logical operations, and registers as shown in Figure 2. Three registers, namely K0_Ipad_ Hash, K0_Ipad_ Text_ Hash, and K0_Opad_ Hash are also used in hash computation.
HMAC Registers

Architecture of HMAC coprocessor unit
to store the algorithm constants. Figure 3 shows the SHA2 architecture. The SHA2 architecture can be divided into four main blocks: Intermediate Hash Computation, Compressor, Message Scheduler, and Constants Memory.
Input block
Input text
Padding unit
Padding Unit
Key_Text_in
Const. memory
Message scheduler (W0,.,W15)
MUX
Compressor (a,..,h)
Intermediate Hash Computation (H0,..,H7)
Message scheduler
SHA2 core
Msg_Digest_MAC_Out
Intermediate Hash Computation
Compressor
MUX
Message digest
Fig. 2. Architecture of SHA2 core
The message scheduler's registers W0,…,W15 can be initialized either in serial or in parallel. Serial initialization requires the first 16 words Mt of the message M to be shifted into the module. For this processing it takes 16 clock cycles. It is utilized when writing a new message or key to the SHA 2core through the HMAC module. For example, it can be a message being hashed, a long key being preprocessed, or a text being processed as part of a MAC computation.
Output block
Fig. 2. Architecture of HMAC unit
The HMAC hardware module to be designed needs to cope with both message digest and MAC computations, to process long messages and keys of different sizes (K Â· B and K > B),as well as to perform preprocessing of long keys. Actually, key reuse is supported the utilizing registers K0_Ipad_Hash and K0_Opad_Hash in further computations. Moreover, register K0_Opad_ Hash can also works as a temporary key storage during the HMAC processing. The HMAC processing is divided into five stages, such as NewKeyHash, KeyIpadHash,TextHash, KeyOpadHash, and MACHash. The stages are executed in aboveorder, but not all stages are necessarily used. The size of the key, the size of the text, and whether a key is being reused will determine the number of stages needed[1].

Architecture of SHA2 core
The hardware design of the SHA2 algorithm consists of shiftregisters, logical operations, Dbit adders, and a memory
Parallel initialization is used by the HMAC module to load internally stored values directly into registers W0,…,W15. Simultaneously, the constants memory provides the initialization values for the working variables (a,…, h). Initial hashes (H0,…,H7) are also set within this period of time. The initialization of working variables and initial hashes takes one clock cycle. When initialization is complete, the compressor employs registers a,…,h, as well as Wt and Kt to determine the new values of a,…, h. The algorithm takes t iterations and is controlled internally by an iteration counter, which is described using step 3 of SHA2. Precisely, SHA224/256 and SHA384/512 utilizes 64 and 80 iterations respectively,. In each of these iterations, registers W0,…,W15 and a,…, h are shifted in the direction of the arrows shown in Figure 3. The register requirements are 1024 bits for SHA224/256, and 2048 bits for SHA384/512.
After t iterations, the intermediate hash computation is performed. It would be possible to execute this operation in a single clock cycle, eight adders are to be operated in parallel. To save implementation area, only two adders are utilized. Therefore, the computation of the intermediate hash is spread
over the last 4 iterations by computing two additions per clock cycle. The additions are performed when t = 60,…, 63 for SHA224/256.For instance, in SHA224/256, H3 and H7 are computed when t = 60, H2 and H6 are computed when t = 61, and so on.
In the case of hashing a multiblock message, a new execution cycle initiates. If serial load is used, 16 more words Mt must be shifted into the module. If parallel load is used, the HMAC module reloads registers W0,…,W15 with the appropriate value. After that, the same procedure described above is reexecuted. When the hash is complete, the message digest is available in registers H0,…,H7. Again, the message digest may correspond to either a single hash computation or to any of the hashes computed in the HMAC algorithm. In the case of a single hash computation, the result is read serially. Since a Dbit word is output per read operation, L=D iterations are necessary. Specifically, SHA224, SHA256, SHA384 and SHA512 require 7, 8, 6, and 8 read operations respectively. In the case of the HMAC processing, registers H0,…,H7 are read in parallel by the HMAC core.
The number of iterations involved in a hash computation, makes it clear that a single bitflip in the constants memory, input blocks, or registers can easily compromise the computation of the hash function and the associated upper level application (e.g., data integrity checking and MACs). For making hash function designs appropriate for space applications, error detection and correction schemes must be incorporated so that SEU (Single Event Upsets)s do not compromise its normal operation.


RESULTS AND DISCUSSION/p>
The design entry is modelled using VHDL in Xilinx ISE Design Suite 13.2 to obtain the synthesis report and the simulation of the design is performed using Modelsim6.2c to validate the functionality of the design. The simulation result of SHA256 algorithm is shown in figure 4.
For SHA256 algorithm each input message block has 512 bits, which are represented as a sequence of sixteen 32 bit words. The output or message digest are of 256 bits. SHA2 algorithm uses 64 iterations to produce 256bit message digest. The clk(clock), rst(reset), m(input message) are the inputs and v(valid signal) , md(output message digest) are the outputs of SHA256 algorithm. After forcing rst =0 and the binary value of input message to m , output is obtained as per the algorithm described in above sections. The six bit counter and ROM module also designed to get the functionality of SHA2 core.
Fig. 4. simulation result of SHA256
The simulation result of HMAC algorithm is shown in figure 5. The HMAC algorithm processes two inputs, a cryptographic key and a message, to produce message authentication code(MAC). A fully generic design of the HMAC coprocessor unit had been developed in the hardware description language VHDL in order to achieve better security in communication systems.
Fig. 5. simulation result of HMAC

CONCLUSION
This paper explains a highperformance HMAC co processor based on SHA2 family of hash functions. The utilization of hash functions and KeyedHash Message Authentication Codes (HMAC) are of utmost importance to ensure data integrity and data origin authentication in digital communications. Hashbased Message Authentication Code (HMAC) is a mechanism for message authentication using cryptographic hash functions. The Secure Hash Algorithm (SHA) is a family of cryptographic hash functions published by NIST.SHA2 with HMAC will not necessarily lead to slower implementations or higher energy consumption. SHA2 with HMAC is completely feasible to efficiently replace SHA
1 and MD5 with SHA2 in hardware implementations of HMAC. These results are fundamental to support the implementation of higher levels of security in highend and constrained applications.
REFERENCES

MarcioJuliato and Catherine Gebotys, A Quantitative Analysis of a Novel SEUResistant SHA2 and HMAC Architecture for Space Missions Security IEEE transactions on aerospace and electronic systems, vol. 49, no.3,pp.15361554 ,july 2013.

NIST. Secure hash standard (SHS). Federal Information Processing Standards Publication FIPS PUB 1803, October 2008.

Sklavos, N. and Koufopavlou, O, On the hardware implementations of the SHA2 (256, 384, 512) hash functions, Proceedings of the 2003 International Symposium on Circuits and Systems (ISCAS 03), vol. 5, Bangkok, Thailand, May 2003, pp. 153156.

NIST. Advanced encryption standard(AES).Federal Information Processing Standards Publication FIPS PUB 197, November 2001.

NIST. The keyedhash message authentication code (HMAC).Federal Information Processing Standards Publication FIPS PUB 198, March 2002.

Christ of Paarand JanPelzl, "Understanding Cryptography: A Textbook for Students and Practitioners Chapters 10,11&12;page nos: 259325.

Grembowski, T and et al. Comparative analysis of the hardware implementations of hash functions SHA1 and SHA512.Information Security: Proceedings of the 5th InternationalConference on Information Security (ISC02), vol. 2433, Sao Paulo, Brazil, Sept. 30 Oct. 2, 2002, pp. 7589, NewYork: SpringerVerlag, 2002.

Yiakoumis I, Papadonikolakis M, and Michail H, Efficient smallsized implementation of the keyedhash message authentication code Proceedings of theIEEE Eurocon Conference 2005 Computer as a Tool, volume 2, pages 18751878, November 2005.

Kim M, Kim Y, Ryou J, and Jun S, Efficient implementation of the keyedhash message authentication code based on SHA1 algorithm for mobile trusted computing, Proceedings of the 4thInternational Conference on Autonomic and Trusted Computing (ATC 2007), pages 410419, 2007.

NIST.Digital signature standard(DSS), Federal Information Processing Standards Publication Draft FIPS PUB 1863, November 2008