Related Works
IEEE 1609.2 WAVE Protocol Security Service
AES-CCM
- AES …
- CBC-MAC
- Counter
AES-CCM is a unique symmetric key block cipher algorithm in IEEE 1609.2 to encrypt and decrypt data also defined by a NIST SP 800-38C. It is also used for other wireless communication protocols such as IEEE 802.11 to encrypt data. AES-CCM consists of an AES-CBC-MAC and a counter using an AES algorithm as shown in Figure 3-3 [1, 9].
The input to the AES cipher (Plaintext) is formatted to 128-bit formatted block by the formatter function. This block is processed by a CBC- .. MAC (Cipher Block Chaining Message Authentication Code) and a counter to encrypt the plaintext. The CBC MAC and counter are processed using the AES algorithm for each step.
The AES is defined as FIPS-197 by NIST to replace a Data Encryption Standard (DES) encryption algorithm. The CBC-MAC step in AES-CCM generates message authentication code (MAC) using chain block coding method with the AES encryption. To make chain block, the CBC-MAC is repeatedly encrypted using AES and XOR operation with previous chain result.
The counter blocks consist of nonce data from an input of AES-CCM and simple counter value. The first block of ciphertext is XORed with MAC data from CBC-MAC.
![Figure 3 - 4. Round structure of AES (128 bits key size) [13]](https://thumb-ap.123doks.com/thumbv2/123dokinfo/10541728.0/19.892.164.728.260.949/figure-round-structure-aes-128-bits-key-size.webp)
SHA-256
Hash-DRBG …
The input of instantiation algorithm is used to perform initialization for values of hash-DRBG to generate the random number. These inputs are concatenated and fed into a hash_df that sub-algorithm to create instantiation values. The initialization values of in this algorithm are a reseed counter, seed value (V) and constant value (C).
As mentioned above, V and C are created by the instantiation algorithm or regenerated values from the algorithm itself. In this algorithm, SHA-256 and the hashgen algorithm, a sub-algorithm of DRBG, are used to generate a random bit (return_bit). In this algorithm, due to the robustness of the security strength of the algorithm, V and C are regenerated during the generation algorithm and these values are passed to the algorithm itself to generate the next random bits, V and C.
Similar to the instantiation algorithm, the reseed algorithm generates V and C to generate the random bits. However, the reseed algorithm is called when the reseed counter has reached the number of requests between reseeds in Table 3-3, and the reseed counter is initialized to 1 because V and C do not have sufficient security strength for robustness.
![Table 3 - 8. Definitions for hash-DRBG mechanisms [18]](https://thumb-ap.123doks.com/thumbv2/123dokinfo/10541728.0/22.892.95.791.724.1078/table-3-8-definitions-hash-drbg-mechanisms-18.webp)
ECDSA
To generate r, a random value k is generated by Hash-DRBG and dot multiplication by G is performed. If r and v are equal, then the signature is valid and the signature message is accepted in the system. That is, there is no need to encrypt the remaining block because the encrypted block number is the same as the formatted block number.
As mentioned above, the hash-DRBG is generated in pseudo random bits (RB) using the hash function. Hash-DRBG has 3 main modules (Instantiation_state, Hash_DRBG_Generate and Hash_DRBG_Reseed) and 3 sub modules (Hash_df, SHA-256 and Hashgen) to generate random values. Now, we describe the implementation of sub-modules in this algorithm, these are Hash_df, Hashgen and SHA-256.
The FSM of reseed is called as FSM make control signal to handle Hash_DRBG_Reseed module. And parallel_adder_done is true if the output signal of the parallel_adder (o_output) is saved to Operand[0] to collect previous addition result. As mentioned above, the parallel_adder is used for the binary_multiplication to accumulate the multiplier.
We also carry out the implementation and synthesis of the proposed hash-DRBG architecture, and the result is summarized in Table 5-4. -Badillo, et al, "Efficient Hardware Architecture for IEEE 802.11i AES-CCM Protocol", Computer and Electrical Engineering, p.
![Table 3 - 9. List of parameters for curve P-224 [20]](https://thumb-ap.123doks.com/thumbv2/123dokinfo/10541728.0/24.892.96.779.170.426/table-3-list-parameters-curve-p-224-20.webp)
Hardware Implementation of IEEE 1609.2 WAVE Protocol Security Service
AES-CCM
- AES …
- AES-CCM
To achieve the best performance of AES-CCM, we analyze and implement AES algorithm very carefully, as AES is often used in AES-CCM. In Figure 4-1, there are 8 bit operation data paths and these lead to delay in the key extension path. However, due to key expansion being performed only once under the same input key, we did not optimize the data path.
Because key expansion and AES encryption engine have different round counters and timing of start process (do_exped, do_aes) and end process (text_valid). Formatted block process in Figure 4-5 generates formatted block from plain text data to the 128 bit data blocks. For the formatted block process, we use case statement with modular to length of plaintext with 128. with a 128-bit counter block generated with nonce and counter value as mentioned above.
Except for the first encoded counter block, all the encoded counter block is XOR-ed with formatted block. It performs a link with a previously AES encrypted chain block and the current formatted block using XOR operation. Next status if KEY_EXP is running with the key expansion process in the AES encryption engine until the end of key expansion (key_exp_done).
In the FIRST_BLOCK state, it creates the flag byte of the first formatted block using the plaintext length and the MAC length. The S_NONCE state formats the nonce state into a formatted block and transitions to the ASSOCIATE state if A_flag is true and data_type equals T_ASSOCIATE.
SHA-256
The first READY state is transferred to FIRST_BLOCK when the start signal (do_format) is input to the system. To produce a fast and efficient SHA-256, we use parallel preprocessing and a hash calculation structure such as Figure 1, which is the proposed structure of SHA-256. The last padded block consists of a 448-bit message associated with a 1-bit value of 1 and consecutive values of 0 and length.
Wt are used to calculate eight work variables (Compute Memory) and two temporary variables. Therefore, they must be prepared before calculating the computer memory and the two temporary variables to generate the message digest blocks. In fact, Wts 0 to 15 are the same as the corresponding padded blocks, but Wts 16 to 63 require calculation using the previous Wt.
And this operation is one step further because other hash calculation operations of this latest Wt are required. To reduce the delay of this critical path, we use the IP adder/subtractor logic available in the Xilinx ISE tool [20].
Hash-DRBG …
If Reseed_counter is greater than Reseed_interval than this module generate Reseed_required signal and exit the module. The additional input (Addi_input) is optional input to generate the RB which is executed to SHA-256 with 0x02 and V to w. This modular operation requires huge arithmetic logic, but we implement modular operation using simple bus wiring syntax in Verilog-HDL.
The next process is to execute the Hashgen submodule with V and the desired number of bits. To regenerate V, the SHA-256 module also uses three 256-bit adders (red circle in Figure 4-9) and right shift is required. To solve this problem, we use Xilinx Adder/Substraher IP and reduce the delay of critical path in this module.
All process in this module is done, Reseed_counter is incremented to check how many times RB is generated. It shuffles the Input_string using SHA-256 until the required bit length equals No_of_bits_to_return (seedlen), often. In this FSM, the instantiation is done before the i_do_generate signal is generated to call the generate FSM in Figure 4-14.
If reseed is needed, call the reseed FSM in Figure 4-13 to regenerate V, C, and Reseed_counter.
ECDSA
But we make delay up to 25 for the reliability of function when module is synthesized. In this implementation, we use a lot of resources for AES-CCM due to internal registry to protect processed data from outside attacks. FPGA implementation result and comparison with previous works of AES-CCM Device FPGA Slice Clock Frequency (MHz) LUT Power (mW).
FPGA implementation result of SHA-256 and comparison with previous works. And, we can confirm that all the logic is placed on the FPGA through the RTL view of the synthesis. Michail, et al., "On Exploiting a High-Power SHA-256 FPGA Design for HMAC," ACM Trans.
García, et al., "A Compact FPGA-Based Processor for the Secure Hash Algorithm SHA-256," Computers and Electrical Engineering, vol. Stallings, Cryptography and Network Security Principles and Practices, 4th ed. http://csrc.nist.gov/publications/PubsFIPS.html. Chanbok Jeong and Youngmin Kim, "Implementation of Efficient SHA-256 Hash Algorithm for Secure Vehicle Communication Using FPGA", ISOCC 2014 conf., pp.
Tao Zhang, Luca Delgrossi, Vehicle Safety Communications: Protocols, Security, and Privacy, Hoboken, New Jersey: John Wiley Sons, Inc., 2012. http://csrc.nist.gov/publications/PubsFIPS.html. Xilinx LogiCORE IP Adder/Subtractor v11.0. http://www.xilinx.com/support/documentation/ip documentation/addsub_ds214.pdf. http://www.xilinx.com/support/documentation/sw_manuals/xilinx14_5/xst.pdf.
Experiment Result
AES-CCM
In these works, we implement preprocessing process in our FPGA hardware differently from previous works. In this paper, we implement secure algorithm in IEEE 1609.2 WAVE using FPGA hardware for VC security service. To do this implementation, we change the 8 bits data path from AES to 32 bits with 32 bits S-Box.
In addition, a parallel architecture is used to increase the speed of operation, and we analyze the data dependence of the algorithm for converting sequential operation to parallel operation. However, we need to improve the critical path period and reduce the resource usage for the embedded system. Miguel Morales-Sandoval and Claudia Feregrino-Uribe, "On Elliptic Curve Cryptosystem Hardware Design", ENC'04, pp.64-70, Sept.
Ikram, “A secure framework for robust secure wireless network (RSN) using AES-CCMP”, Proceedings of the Fourth International Bhurban Conference on Applied Science and Technology, 2005.
![Figure 2 - 1. Environment and result of [5]](https://thumb-ap.123doks.com/thumbv2/123dokinfo/10541728.0/14.892.178.718.820.1051/figure-2-1-environment-result-5.webp)
![Figure 2 - 2. Overhead of ECDSA using the NIST elliptic curves in IEEE 1609.2 [8]](https://thumb-ap.123doks.com/thumbv2/123dokinfo/10541728.0/15.892.122.802.381.799/figure-overhead-ecdsa-using-nist-elliptic-curves-ieee.webp)
![Figure 3 - 1. WAVE Communication Stack with OSI 7-Layer [4]](https://thumb-ap.123doks.com/thumbv2/123dokinfo/10541728.0/17.892.109.787.434.888/figure-3-1-wave-communication-stack-osi-layer.webp)
![Table 3 - 7. Secure hash algorithm properties [16]](https://thumb-ap.123doks.com/thumbv2/123dokinfo/10541728.0/21.892.102.780.479.688/table-3-7-secure-hash-algorithm-properties-16.webp)
![Figure 3 - 5. Standard structure of hash-DRBG [17]](https://thumb-ap.123doks.com/thumbv2/123dokinfo/10541728.0/23.892.272.628.131.730/figure-3-5-standard-structure-hash-drbg-17.webp)
