Design Security in Stratix III Devices Altera Corporation
2
1. Program the security key into the Stratix III FPGA: The Quartus
®
II software requires the user to enter a 256-bit
user-defined key, whi c h is then used to gen erate a key program m ing file. The key program mi ng file containing
the key information is then loaded into the S tratix III FPGA through the JTAG interface. The key is then stored in
the 256-bit key storage, which can either be volatile (SRAM-based) or non-volatile (poly fuse-based).
2. Encrypt the configuration file and store it in the external memory: The Quartus II software requires the same
256-bit user-defined keys us ed in step 1 to encrypt the configuration file. The encrypted configuration file is then
loaded into the external memory, such as a configuration or flash device.
3. Configur e S tratix III FPGA: At sys tem power -up, the external memory device sends the encrypted configuration
file to the Stratix III FPGA. The Stratix III built-in AES decryption engine then uses the key to decrypt the
configuration file and configure itself.
Stratix III Key Programming Solutions
Altera provides different types of solutions for design security key programming via the JTAG interface, supporting
on-board and off-board key programming.
f The steps for programming the volatile and non-volatile key are included in AN 512: Using the Design
Security Feature in Stratix III Devices.
AES Encryption Algorithm
AES is a Federal Information Processing Standard (FIPS-197) and has been approved to be used by U.S. government
organizations to protect sensitive, classified information. It is also expected to be widely adopted both commercially
and globally.
AES is a symmetric block cipher that encrypts and decrypts data in blocks of 128 bits . The encrypted data is subject
to a series of transformations including byte substi tutions, data mixing, data shifting, and key additions. AES comes
in three different key sizes: 128 bits, 192 bits, and 256 bits. The 256-bit AES key size is used in Stratix III FPGAs for
both security and efficiency. According to the National Institute of Standards and Technology (NIST), studies have
shown that if one could build a machine that could discover a data encryption standard (DES) key in seconds, then it
would take that same machine more than 149 trillion years to discover a 256-bit AES key. The St ratix III AES
implementation has been validated as conforming to the FIPS-197 st andard.
AES Decryption Block
The main functions of the decryption block are:
■ Determine whether the configuration data needs to be decrypted.
■ Determine the security mode.
■ Decrypt the data stream and decompress the data, if needed; otherwise, configure the device.
Prior to receiving encrypted data, the 256-bit security key must be entered and stored in the device. You can choose
between a non-volatile security key and a volatile security key with battery backup. The non-volatile key and the poly
fuse key verify bit (which indicates a poly fuse key is present) are stored in one-time programmable po ly fuses,
whereas the 256-bit volatile key and the volatile key verify bit (which indicates a volatile key is present) are stored in
volatile key registers that are backed up with external battery pow er.
Key Storage
The security key is stored in poly fuses and volatile key registers inside the Stratix III FPGA . Poly fuses are
non-volatile and one-time programmable. Volatile key storage requires an external backup battery that allows the key
to be stored in the event the device is powered down. The security key can be programmed into the Stratix III FPGA
during regular manufacturing flow, with the FPGA either on-board (for both volatile and non-volatile keys) or
off-board (for non-volatile key only).