HDCP Engine SafeXcel EIP-115
AuthenTec’s new HDCP content protection solution enables semiconductor and appliance vendors to implement a complete HDCP2.1 solution into silicon and consumer devices. It supports integration into a highly secure implementation by protecting all of the encryption keys and secure computations. The security module of the HDCP2.1 protocol is available on a TrustZone-based software platform or as a dedicated, highly secure and optimized hardware module.
SafeXcel EIP-115 is a dedicated HDCP hardware engine that protects keys and sensitive operations and accelerates encryption and decryption operations to enable protection of uncompressed and compressed, full HD content. SafeXcel EIP-115 works seamlessly with AuthenTec’s existing SafeXcel packet engines and SafeZone secure platform offerings. These hardware offerings enable chip makers to enhance their products to support the latest HDCP standards.
The SafeXcel EIP-115 provides the required technology for implementing all the secure access, cryptographic computations and cipher engine as defined in the HDCP2.1 specification. This module not only generates the AES-128 based key stream for encrypting or decrypting the content stream but also provides all the cryptographic functions for authentication, key exchange, locality check and certificate verification. Beyond providing a very high level of security, the SafeXcel EIP-115 hardware-based acceleration offers significant advantages over a software only implementation for timing critical and performance/power optimized cryptographic operations. The module includes a secure interface to Non-Volatile Memory (NVM) for retrieving the device unique keys which must be programmed as part of the manufacturing process.
Applications
In a content protection system, the SafeXcel EIP-115 forms the hardware-based security boundary wherein all secure parameters and cryptographic computations are managed during all the HDCP protocol phases from authentication of the connected devices up to and including the generation of the key stream. AuthenTec’s SafeXcel EIP-115 is defined for use in source and sink devices or in a combination of both (bridge/repeater devices).
The SafeXcel EIP-115 module can be integrated into:
- Application Processor
- Multimedia Processors
- Systems on a Chip (SOCs)
- Set-top Boxes
- Graphics Processors
The output of the SafeXcel EIP-115 generates AES-128 key streams for commonly used interfaces such as USB, WiFi and Ethernet. Newly introduced wireless and wired interfaces like WiGig, WirelessHD, WHDI and DiiVA are also supported, although some of these interfaces require an additional, interface-specific cipher engine.
Features
Secure access of confidential material
- Hardware protected access of confidential parameters and key material such as private keys and session keys, as required by the robustness rules defined in [HDCP], appendix A.
Symmetric crypto algorithms
- AES Counter mode with a key length of 128 bits
Asymmetric crypto algorithms
- RSA-CRT - with a modulus length of 512 bits
- RSA - with a modulus lengths of 1024 and 3072 bits
Hash and HMAC algorithms
True Random Number Generator
- Hardware-based, Non-deterministic Random Number Generator
Implementation is based upon standard cells so no specific analog engineering is required
NIST SP 800-90 compliant
Embedded Controller
- Dedicated secure controller
RSA and HMAC Performance
Crypto performance at 150 MHz:
- RSA-1024 bits (e=216+1): 1.3ms
- RSA-3072 bits (e=3): 2.2ms
- RSA-CRT 512-bits: 26.1ms
Embedded Controller
- Dedicated secure controller
Configurations
The SafeXcel EIP-115 AES core is available in different configurations.
SafeXcel EIP-115a Low gate count configuration:
- 35k gates TCM in TSMC 40nm at 150MHz
- Key stream data up to 2.4Gbps at 600MHz
SafeXcel EIP-115b High performance configuration:
- 81k gates in TSMC 40nm at 150MHz
- Key stream data up to 23Gbps at 600MHz
Interfaces
Host Interface
The SafeXcel EIP-115 has a single 32-bit Host interface that is available for TCM, AHB and AXI busses.
Key Stream Interface
128-bit wide with data handshake
NVM Interface
Generic memory interface for easy integration of Non-Volatile Memories
Firmware API Functions
The firmware running on the SafeXcel EIP-115 embedded controller supports HDCP 2.1
protocol primitives such as:
- Authentication and Key Exchange
- Locality Check
- Session Key Exchange
- Stream Management
- Renewability
- Master key, session key and nonce generation