You are on page 1of 4

VLSI IMPLEMENTATION OF THE KEYED-HASH MESSAGE

AUTHENTICATION CODE FOR THE WIRELESS APPLICATION PROTOCOL

G. Selimis, N. Sklavos and O. Koufopavlou.

Electrical and Computer Engineering Department
University of Patras, Patras GREECE
email: gselimis@ee.upatras.gr

ABSTRACT strong authentication with certificates. Especially, in
WAP security layer (WTLS), a great number of
Security has become a very critical issue in the provision operations require the Keyed-Hash Message
of mobile services. The Wireless Application Protocol Authentication Code (HMAC) [3].
(WAP) has specified a powerful security layer, the In this paper, a VLSI architecture of the Keyed-Hash
WTLS. The Keyed-Hash Authentication Code (HMAC) Message Authentication Code (HMAC) for the WAP
has been adopted by the WTLS in order to support the security layer is proposed. The introduced system is
special demands for authentication with security of high- based on the SHA-1 hash function [4-5], which is
level strength. A VLSI architecture and the FPGA specified by the WAP protocol. Furthermore, the
implementation of HMAC for the WTLS, are proposed in proposed system can be used in authentication systems
this work. The introduced design is based on the SHA-1 implementations of computer networks and wireless
hash function. The implementation results for both the protocols in general. The proposed architecture
HMAC and the SHA-1 proposed architectures are guarantees high security level, in all the applications
compared with other related works. From these requiring message authentication, via the construction of
comparisons, it is proven that the proposed system a message authentication code. The security strength and
performs better in all of the cases. It is also superior to the advantages of the SHA-1 hash function that the
the conventional hardware implementations by using the proposed architecture is based on, ensures high security
Area-Delay product. In addition to the WAP protocol, the level, in the implementation of this authentication scheme
proposed architecture can be implemented for any (HMAC).
authentication system of computer networks and wireless The proposed HMAC architecture is designed for a
protocols, with high-performance demands and hard certain cryptographic function (SHA-1), which has been
secure authentication needs at the same time. approved, by FIPS [4-5]. Although, with minor
modifications in the proposed HMAC architecture, the
selected SHA-1 can easily be replaced with any other
1 INTRODUCTION hash function, according to the user needs and the
application demands. The FPGA implementation results
Wireless networks intentionally radiate data, over the for both HMAC proposed architecture and the SHA-1
area that they allocate and outside of the limits that the hash function are presented in detail, in terms of covered
network controls. This means that someone can passively area, frequency and throughput. From the comparisons
retrieve all the transmitted information from a distance results with other related works on SHA-1 [6-8], it is
with the appropriate technical equipment. It is obvious proven that the proposed architecture performs better in
that wireless communications as a shared medium could all of the cases.
be easily intercepted. Encryption and authentication are This paper is organized as follows: in section two the
always considered when developing a wireless protocol, WAP protocol is introduced and the dedicated to the
such us WAP [1], or a mobile networking system. security layer, WTLS, is described briefly. In the next
Especially authentication is a very critical security issue, section the proposed system architecture is presented in
in addition to the encryption of data transmission [2]. detail. The VLSI implementations synthesis results are
Every client and application server provider must be given in section 4 and comparisons with other related
authenticated, in order both communication parties to be works are presented. Finally, conclusions and
safely sure that the other part is the original one that it observations are discussed in the last section.
claims to be. In the most of the cases, the services need
2 WAP AND SECURITY The preprocessing mainly appends the necessary
number of bits to the input message, in order to generate
the padded data block of specified length. The padded
2.1 Wireless Application Protocol (WAP) data are divided to t blocks of equal length. Each block
Xi serves as input to the compression function h, which
The Wireless Application Protocol (WAP) is a new computes each time a new transformed data message Hi,
protocol for wireless devices data transmission, defined as a function of the previous Hi-1 and the input Xi. After
by the WAP Forum [1]. In the most of the mobile a certain number of processing rounds, the data are
networks, the transmitted data is encrypted in the air and finally modified by the final transformation. In this way
the complete end-to-end security is not supported in the the hash value (message digest) is generated
unwired network itself. This is the major reason why in corresponding to the input message x.
WAP an extra layer, dedicated to the security, is needed.
The security layer of WAP is the Wireless Transport
3 PROPOSED SYSTEM
Layer Security (WTLS). It is the equivalent to the
Transport Security Layer (TLS) in the mobile world. This
The Keyed-Hash Message Authentication Code
certain layer introduces new features such us key
(HMAC) Standard [3] specifies a mechanism for message
refreshing, datagram support, optimized packet size and
authentication using cryptographic hash functions.
handshake. The data transmission is supported by the
HMAC can be used with any iterative hash function, in
security levels of privacy, message integrity and
combination with a shared secret key. According to the
authentication in the WTLS. DES and RC5 ciphers
HMAC standard the SHA-1 hash function [4] is used.
support privacy and for data integrity MD5 and SHA-1
We assume K the secret key and H(x) the hash function,
hash functions have been selected. In authentication level
where the input message is hashed by iterating a basic
the RSA, Diffie-Hellman and Elliptic Curve are used. In
compression function on blocks of data. With B=60 is
addition specialized security mechanisms such as HMAC
denoted the byte-length of such blocks and by L=20 the
and Digital Signature have been adopted by WTLS.
byte-length of the SHA-1 output (message digest). The
authentication key can be any length up to B, which is the
2.2 Hash Functions input data block length of the hash function. Applications
that longer than B bytes used keys are required, will first
Hash functions are used as a building block in various hash the key using the H(x) function and then use the
cryptographic applications. The most important uses are resultant L bytes data block (hash function output) as the
in the protection of information authentication and as a actual key to HMAC. In any case, the minimal
tool for digital signature schemes. A hash function is a recommended length for K is L bytes. In addition two
function that maps an input of arbitrary length into a fixed constants are specified: ipad and opad. In order to
fixed number of output bits, the hash value. Hash compute the HMAC over a data block (D), the following
functions can be divided into the following two basic function is applied:
categories: HMAC(K,D)=H{(K XOR opad) || H (K XOR ipad || D)}
• One way hash functions: these functions should be HMAC operation can be described as a simple
preimage and second preimage resistant, that is it process of 10 steps which are depicted in Fig. 2.
should be hard to find a message with a given hash Steps 1-3: Determine Ko

(preimage) or that hashes to the same value as a given
message (second preimage).
• Collision resistant: it is one-way hash function for
Step 4: Ko (x) ipad

which it is hard to find two distinct messages that
hash the same value. Step 5: Ko (x) ipad Text

Most hash functions are designed to operate as
iterative processes which hash input messages of Step 6: Ko (x) ipad
arbitrary length. These functions process on fixed-size
blocks of the input and produce a hash value of specified
length (Fig. 1). The procedure is divided to Step 7: Ko (x) opad

preprocessing, compression and final transformation.
Padded Data
X1 X2 ... Xt

Step 8: Ko (x) opad H((Ko (x) ipad)) II text)
Final Transformation

Input Hash
Message Hi=f(Xi) Value
X Add Append Compression
G(Ht)

Padding Message Function Step 9: H((Ko (x) opad) II H((Ko (x) ipad)) II text)
Bits Length f(x)

Preprocessing MAC(text)=leftmost t bytes of
Step 10:
H((Ko (x) opad) II H((Ko (x) ipad)) II text)
Iterated Hi-1
Processing

Figure 1: General Model of Hash Function Figure 2: HMAC Construction
3.1 Proposed System Architecture input, and produces a 160-bit condensed representation
of the message, called message digest. The SHA-1
The proposed system of the HMAC authentication proposed architecture is illustrated in the Fig. 4.
unit for the WAP security layer is illustrated in Fig. 3. Input Data
32-bit

Padding Unit Transformed Data
XOR Block
Register
Control SHA-1
Unit Unit 5x32-bit
Concatenation
Padded Data
Unit 512-bit Wt
32-bit
Control
Signals SHA-1
Registers Address Bus (8-bit)
Key K,K0 Wt_Kt Constants Transformation
Generator Unit Round Unit
Fixed ipad Data Bus (128-bit)

Fixed opad
Kt
Temp Data 32-bit
Common Bus Interface Unit 5x32-bit Transformed
Control Data 160-bit
Control Unit Last
Figure 3: Proposed System Architecture Transformation
Unit
It is obvious that the HMAC proposed architecture is
Message Digest
built on the SHA-1 hash function that has been adopted 160-bit

by the WAP.
The control unit coordinates all the system operations Figure 4: SHA-1 Unit Architecture
according to an FSM diagram. Like the most of the The Transformed Data Register is used for temporary
system-on-chip designs the proposed HMAC architecture storage of the transformed data, after every
includes a simple common bus interface unit for transformation round is performed. SHA-1 hash function
communication with the external environment. Two specifies 80 common data transformation rounds in total.
internals buses, the address and the data bus of 8 and The SHA-1 Transformation Round is a specified mixed
128-bit respectively, have also been integrated. In logic and mathematic nonlinear transformation function.
addition an XOR block and a concatenation unit have The Last Transformation Unit finally modifies the
also been included in this proposed HMAC architecture. transformed data. This unit consists of 5 modulo adders
The concatenation unit is necessary for all the needed and modulo additions 232 are performed, between the
appending data procedures. Finally, some registers are input data and the five specified constants of 32-bit. In
used, for the appropriate constants, temporary data and this way, the message digest is finally produced. SHA-1
the used key storage reasons. The proposed HMAC sequentially processes 512-bit blocks and computes the
architecture is designed for a specified cryptographic 160-bit message digest. The purpose of Padding Unit is
function (SHA-1) that has been selected by WAP to make the total length of the desirable input data
protocol. Although, with minor modifications and with exactly a multiple of 512-bit. SHA-1 hash function
the addition of some extra registers, in the proposed sequentially process blocks of 512-bit when computing
HMAC architecture, the selected SHA-1 can easily be the message digest. The padded message is generated
replaced with any other hash function. It has been with the following described process: a logic “1”,
estimated that all the appropriate modifications to the followed by m “0”s, followed by a 64-bit integer are
proposed HMAC architecture that have been described appended to the end of the input data to produce a padded
above, would have finally an allocated resources penalty message of length 512*n. The 64-bit integer is equal to
increase at about 5-10 % of the total system covered area. the length of the input data message. A sequence of
The operating frequency of the proposed HMAC constants and some initialized processing data blocks are
architecture it’s time is equal to the frequency of the hash used in this hash function. The WT_Kt Constants
function unit (SHA-1 in our case). Furthermore, detailed Generator Unit supports these constants values.
information of the proposed architecture VLSI
implementation performance will be presented in the next
section 4. 4 VLSI IMPLEMENTATION RESULTS

The proposed architecture has been captured by using
3.2 SHA-1 Hash Function Proposed Architecture
VHDL. All the internal components of the design were
synthesized placed and routed using XILINX FPGA
SHA-1 hash function has been developed by NIST devices [9]. The system then was simulated again, for the
with NSA [4] in order to be used in the Digital Signature verification of the correct functionality. The synthesis
Standard [5] and wherever a secure hash algorithm is results for both HMAC and SHA-1 proposed
required for federal applications. SHA-1 operates on implementations are illustrated in Table 1.
messages or data file of length<264 that is provided as
Table 1: Implementations Synthesis Results
5 CONCLUSIONS

HMAC SHA-1 In this paper, a VLSI architecture and the implementation
FPGA Device
(v150bg352) (Used/Available) (Used/Available) of the Keyed-Hash Message Authentication Code
(HMAC) is presented. The introduced system is used in
Fun. Gener. 1593 / 3072 893 / 3072 WTLS security layer. The proposed architecture is based
CLB Slices 1018 / 1728 518 / 1728 on the powerful SHA-1 hash function. It can also be
Dffs 1736 / 3072 1036 / 3072 integrated in authentication systems that are used for the
F (MHz) 82 implementation of computer networks and wireless
protocols in general. The proposed unit guarantees high
Furthermore, comparisons of the proposed SHA-1 security level in all the applications, requiring message
implementation with other published works of the same authentication, via the construction of a message
hash function are presented in Table 2. The proposed authentication code based on a hash function. The
architecture throughput is 4.3 better than the FPGA proposed architecture has high-speed performance. The
throughput and 5.9 times better compared with the ASIC SHA-1 unit that the HMAC process is based on, is faster
implementation of the work [6]. Compared with the compared with other implementations, in all of the cases.
hardware implementation of [7] the proposed one is 6.9 The above advantages prove that the proposed system is
times faster the term of throughput. The work of [8] is a a very efficient solution for the WAP protocol.
software development in two different kinds of servers. Furthermore the proposed system can be used for all
For the first server of [8] no information is provided for types of HMAC applications, with hard high-speed
the CPU clock, while the second uses a CPU clock at 133 performance (LANs, Wireless Protocols), and at the same
MHz. The achieved throughputs are 4.23 and 41.51 time with high-level security authentication demands.
Mbps for these two servers, respectively. The proposed
SHA-1 implementation has 121 times and 12 times better 6 REFERENCES
throughput than the software works in [8].
Table 2: SHA-1 Implementations Comparison [1] WAP Forum: “Wireless Application Protocol
Architecture Specifications”, 2003.
Frequency Data Rate [2] Bruce Schneier, Applied Cryptography – Protocols,
Implementations
(MHz) (Mbps) Algorithms and Source Code in C, Second Edition,
42.9 FPGA 119 John Wiley and Sons, New York, 1996.
SHA-1 [6]
59 ASIC 86 [3] HMAC Standard, National Institute of Standards and
SHA-1 [7] 37 74 Technology, The Keyed-Hash Message
Authentication Code (HMAC), 2003.
Server 1: N/A 4.23 [4] SHA-1 Standard, National Institute of Standards and
SHA-1 [8]
Server 2: 133 41.51 Technology (NIST), Secure Hash Standard, FIPS
Proposed 82 518 PUB 180-1, www.itl.nist.gov/fipspubs/fip180-1.htm,
2003.
In addition, and only for the FPGA implementations [5] National Institute of Standards and Technology
of SHA-1, the Area-Delay product can be used as a (NIST), Digital Signature Standard, FIPS PUB 186-2,
comparison term for the proposed SHA-1 implementation http://csrc.nist.gov/publications/fips/fips186-2.htm,
with the other conventional works [6-7]. As it is shown in 2003.
Fig. 4, the proposed architecture is superior to the other [6] S. Dominikus, “A Hardware Implementation of MD4-
conventional FPGA implementation in all of the cases. Family Hash Algorithms”, proceedings of IEEE
International Conference on Electronics Circuits and
Systems (ICECS’02), Dubrovnik, Croatia, September
60 15-18, 2002.
50
[7] P. Kitsos, N. Sklavos and O. Koufopavlou, "An
Efficient Implementation of the Digital Signature
40 Algorithm", proceedings of IEEE International
Conference on Electronics Circuits and Systems
30
(ICECS’02), Croatia, September 15-18, 2002.
20 [8] Michael Roe, “Performance of Block Ciphers and
Hash Functions-One Year Later”, proceedings of
10 Second International Workshop for Fast Software
0
Encryption ’94, Leuven, Belgium, December 14-16,
SHA-1 [6] SHA-1 [7] SHA-1 Proposed 1994.
Figure 4: Area-Delay Product (CLBsXnsec) Comparison [9] Xilinx, San Jose, California, USA, Virtex, 2.5 V Field
Programmable Gate Arrays, www.xilinx.com, 2003.