S390 CMOS Cryptographic Coprocessor Architecture Overview

by P.C.Yeh

R.M.Smith,Sr. S/390CMOS Cryptographic

Coprocessor Architecture: Overview

and design considerations

This paper describes the design objectives and presents an overview of the design for the IBM S/390?CMOS Cryptographic Coprocessor, also known as the S/390cryptographic module (SCM).The SCM is fully compatible with the earlier S/390cryptographic module,ICRF (Integrated Cryptographic Facility),and has been certi?ed by the National Institute of Standards and Technology at the highest level of security quali?cation.The principal features and unique characteristics of the SCM are summarized in the context of the architecture design.

Introduction

With the explosive growth of Internet applications, demand for information protection has become prevalent. Lack of network security has been recognized by many

as the single most signi?cant barrier to the progress

of e-business.Cryptography is an effective means of protecting information and authenticating users,and is commonly used to improve network security.Furthermore, hardware cryptographic devices are often used for higher security and better performance.It is well recognized in the security community that hardware cryptographic devices provide additional security because of hardware-enforced protection and control of security-related data. The S/390*CMOS cryptographic coprocessor,also known as the SCM(S/390cryptographic module),provides high performance,reliability,and security for various applications.The SCM is fully compatible with the Integrated Cryptographic Facility(ICRF)[1,2],a previous S/390cryptographic module,and the National Institute

of Standards and Technology(NIST)has granted it an overall Level4,the highest security level of Federal Information Processing Standards(FIPS)140-1

certi?cation[3].

The SCM is available on G3and subsequent S/390 enterprise servers,and supports both DES-based and public-key applications,including data encryption using DES or triple-DES(TDES),message-authentication-code (MAC)processing using one or more DES keys,personal-identi?cation-number(PIN)processing,DES-key

?Copyright1999by International Business Machines Corporation.Copying in printed form for private use is permitted without payment of royalty provided that(1)each

reproduction is done without alteration and(2)the Journal reference and IBM copyright notice are included on the?rst page.The title and abstract,but no other portions,

of this paper may be copied or distributed royalty free without further permission by computer-based and other information-service systems.Permission to republish any other

portion of this paper must be obtained from the Editor.

0018-8646/99/$5.00?1999IBM

777

management,1024-bit RSA and Digital Signature Standard(DSS)[4]digital signature,1024-bit

Dif?e–Hellman(DH)key-agreement protocol,and private-key management.

This paper?rst outlines the design objectives and the intended operating environments;an overview of the SCM is then presented.Main features and unique characteristics of the SCM are summarized,and a detailed discussion of the pseudorandom number generator (PRNG)design is provided.Major considerations that shaped the SCM design are discussed,and the rationale behind some of the decisions is also described.

Note that the FIPS140-1Level4certi?cation of the SCM speci?cally excludes the PRNG,not because of any known weakness in the PRNG but because it does not implement a FIPS-approved algorithm.The PRNG was designed before the FIPS-approved algorithms were selected.To clearly explain and justify the PRNG design in light of this exclusion,the section on the PRNG includes more detail than the rest of the paper.

The SCM provides a rich set of functions and a wide range of controls to support customers with various security requirements,ranging from the highest,for the very sophisticated security-conscious customer,to the simplest.The SCM can be con?gured to any desired level of security by establishing proper controls and disabling unused functions through a secure workstation.Note

also that not every function mentioned in this paper is currently supported by the software and the secure workstation,and the terminology used in this paper is not necessarily consistent with that of other IBM manuals or publications.

Design objectives

In addition to meeting the general requirements of high performance and reliability for enterprise servers,the SCM is designed to achieve the following speci?c objectives as well:

1.To be a follow-on product to ICRF.This objective

requires that the SCM implement all ICRF application functions so that existing applications can run with no changes.

2.To enhance the DES-based functions.Several functions

provided in ICRF needed improvement.Among these were better control of the DES key export function,

more?exibility of control vector usage[1],and support of TDES for data encryption and MAC using multiple DES keys.

3.To support PKA(public-key algorithm)applications.To

support applications for e-business,it is essential to

support commonly used PKAs and newly emerging

standards,including RSA,DSS,and DH.4.To improve manual operations for high-security users.

With ICRF,control of the cryptographic module and installing of initial keys are manual operations which

must be performed at a control panel attached to the server.In most installations,the server is placed in an area(sometimes referred to as a“darkroom”)which is kept secure and is not easily accessible to security

of?cers.In such installations,it is desirable to provide the“manual”functions by means of a remote

capability,rather than to require security of?cers

to enter the darkroom area.

5.To facilitate the establishment of mirror images for high-

security users.In many enterprises,multiple systems

are established with a mirror image for backup or

performance.For ICRF,this requires the same manual operations to be performed repeatedly.This problem creates operational complexity and increases cost for

managing cryptographic systems,particularly for

enterprises that have multiple geographically separated systems.A solution that allows security of?cers to

create mirror images at a remote site with security

is desirable.

6.To simplify manual key entry for normal users.Many

customers do not require the maximum security

provided by the SCM,and have requested a simple

means to install initial keys.

7.To be the most secure cryptographic product commercially

available.In many installations,S/390enterprise servers are used to perform critical operations and high-value transactions that require extremely high security.This requires both cryptographic strength and physical

security.Cryptographic strength is provided by using

the most secure cryptographic algorithms currently

known.The goal for physical security was to comply

with the implementation security requirements for

Level4of FIPS140-1.

8.To be exportable.Cryptographic devices are export-

controlled.ICRF is an optional feature and is included only in machines for entitled customers.This solves the export problem for ICRF.For the SCM on CMOS

machines,however,the cost of the cryptographic

module is smaller than the cost to provide additional part numbers,and it is cheaper to include the SCM as

a standard part of all CMOS machines.This requires a

means of enforcing the export regulations in hardware so that all machines are exportable.

Operating environments

The SCM is designed for IBM S/390Parallel Enterprise Server*computers.It is initialized,customized,and

con?gured by customer security of?cers for use by the control program.Applications must invoke the control program to obtain cryptographic services.The control program issues cryptographic functions on behalf of

778

applications.Security-relevant cryptographic functions used by the control program can be partially or entirely disabled by security of?cers.This allows security of?cers

to con?gure the SCM for various control-program authorities,including any combination of SCM use and SCM update.With regard to manual operations,the SCM is designed to be used in three different environments: interactive secure workstation,control-program protected, and“load and lock.”

●Interactive secure workstation environment

The primary thrust of the SCM design is a direct follow-on to the ICRF,but the manual controls of the ICRF are replaced with a secure workstation.In this environment, security of?cers can monitor the status of the SCM; enable and disable a particular group of functions,a cryptographic domain,or the entire module;and perform key entry concurrently with other operations—all from a remote location with complete security and integrity.

In this case,security and integrity are enforced by

the SCM.Additionally,multiple control is provided for performance of critical functions.In some documentation, this is called the TKE(trusted key entry)environment.

In this environment,the secure workstation becomes

a logical extension to the SCM and can be used in conjunction with it to provide the optimum balance between performance and?exibility by implementing the high-usage cryptographic operations within the SCM while permitting the less frequent operations to be performed

in the associated secure workstations.Thus,the secure workstation may be used in the management of DES

and private keys,including generation,split-knowledge splitting and restoration,distribution,preservation,and migration of private keys from smaller servers.

●Control-program-protected environment

For customers who require a simple means for cryptographic system management,a set of clear master-key entry functions is provided to allow security of?cers

to install the master keys without requiring a secure workstation.In this case,security and integrity are enforced by the control program.Each key part is entered“in the clear”into the SCM through the control program.The clear master-key entry functions can be disabled by setting proper controls in the SCM.Separate controls are provided for each of the three master-key registers in each of the sixteen domains.In some documentation,this is called the non-TKE environment.

●Load and lock environment

The SCM provides the security-conscious customer who has limited resources with a simple mechanism to protect the SCM.Again,no secure workstation is required in this environment.The customer can perform customization

of the SCM as a special step by physically securing the

machine room,loading the master keys with the clear

master-key entry functions,and then locking the SCM

by properly setting up controls in SCM so that these

functions are disabled and cannot be re-enabled without

an SCM reset,which clears all customer information.

●PR/SM environment

Under PR/SM,1the SCM is shared among systems in

different partitions,running simultaneously on the same

machine.Inside the SCM,special hardware is provided

to support sixteen independent cryptographic domains

in order to achieve high protection and isolation among partitions.Outside the SCM,PR/SM controls are provided

so that,for a given partition,the cryptographic capability

may be totally disabled,or may be entirely or partially

enabled by the PR/SM operator.Critical functions that

reset the SCM or change the SCM contents can also be

disabled by the operator.

SCM overview

●Performance and availability

For performance and availability,up to two SCMs are

provided in each machine.Each SCM is physically

attached to a different CPU(central processing unit). Synchronous,asynchronous,and concurrent operations

A cryptographic operation may be synchronous or

asynchronous with respect to the requesting CPU.

Functions requiring a signi?cant amount of processing

time are performed asynchronously with respect to the

requesting CPU in order to avoid tying up the CPU.

Typically,these functions use public-key algorithms

or other complex algorithms.All other functions are

performed synchronously with respect to the CPU to avoid

the overhead of asynchronous functions.Synchronous

functions can be requested only by CPUs that have an

SCM attached.To handle asynchronous execution,special hardware queues are provided and shared by all CPUs.

New instructions are provided to permit all CPUs to send asynchronous functions(called requests)to the SCM by

means of the hardware queues.The CPU attached to the

SCM sends these requests from the hardware queues to

the SCM and places the results(called replies)back in

these queues.Except for a small time period required for

initiation and completion,the asynchronous operations are

1Processor Resource/Systems Manager*(PR/SM*)is a hardware feature that

allows the resources of a machine to be shared dynamically among multiple,

independent“partitions.”Each partition can run an operating system,and all

partitions can operate simultaneously.779

performed without interfering with synchronous operations.

In the simplest preliminary design,while the SCM

was performing asynchronous functions,it would have appeared busy to any synchronous functions.However,it is desirable to permit concurrent execution of synchronous and asynchronous functions to avoid blocking effects.

To permit this type of overlap,the SCM includes two processors,a synchronous processor and an asynchronous processor.

Note that all ICRF functions are synchronous.It would have been possible to change these original functions to use the hardware queues,thus making them available to all CPUs,but this was not done for the SCM because it would have resulted in a substantial incompatibility,and the performance bene?t would have been marginal.

●Function and control

The SCM provides two types of functions,PKSC(public-key security control)and normal.PKSC functions are usually issued by security of?cers at secure workstations; normal SCM functions are issued by the control program. Hardware-enforced authentication and authorization are provided for security-relevant PKSC functions.

Identi?cation is achieved by means of RSA digital signature.These signature-controlled PKSC functions are further divided into single-signature or multiple-signature functions.The latter allow multiple control of the function performance.A set of PKSC authorization masks in the SCM provides control at a?ner granularity than the function level.Several query functions,which read out SCM status,are the only PKSC functions that do not require authentication and authorization to be performed by the SCM.

Security-relevant normal SCM functions can be disabled by means of a pro?le register in SCM.The control program can issue one of these functions only if the function is enabled,as speci?ed in the pro?le register. The contents of the pro?le register can be changed only by authorized security of?cers using PKSC functions.The following normal SCM functions have no reliance on any secret data,are not subject to pro?le control,and are always available:

1.Generate hash.

2.Verify DSS digital signature.

3.Modular exponentiation.

●Cryptographic strength

The lifespan of S/390enterprise servers can be more than ten years.The security provided by the SCM must not only meet today’s highest requirement but also accommodate future advances in technology.

A design guideline to pursue the highest security possible was developed,and a minimum security level was established.Since the DES master key(DMK),carried over from ICRF,was128bits,the minimum security level was established as a work factor of2128.It was also a goal that no new portion added should be the weakest link. Thus,all new secret values maintained inside the SCM had to be at least128bits.

●Physical security

Strong cryptographic algorithms alone do not provide overall system security;physical security is also required, but the effectiveness of such a design cannot be easily validated by customers.ICRF was designed to meet the physical security requirements of FIPS1027[5],the only standard available at the time.In the past,many customers had suggested that the physical security of ICRF be evaluated by independent laboratories.This was not done because of a lack of standardized evaluation criteria and processes.

During the design of the SCM infrastructure

(1992–1994),FIPS140-1was proposed to replace FIPS 1027and to include a validation process.Even though the basic design of the SCM was completed before FIPS140-1 was adopted,the goal was to comply with the highest security level of the standard.

The SCM is a single-chip cryptographic module,

and the chip itself forms a physically secure boundary. The tamper-resistant design protects security-related information in the SCM against various physical intrusions and probing.When the SCM is removed from the machine,all customer information inside the module

is automatically erased.

●Secure boundary

The design prevents security-related information maintained inside the SCM from being compromised through subversion of any system component outside the SCM,including the control program,CPU microcode,and system diagnostic tools.All cryptographic operations are performed entirely by hardwired circuitry inside the secure boundary.The CPU microcode,which interprets instructions,does not perform any security-relevant cryptographic operations.No intermediate value of any cryptographic operation ever leaves the boundary.Secret data maintained within the boundary never leaves the boundary unencrypted.

●Nonvolatility

The SCM has two power sources,a primary power and a backup battery.When the primary power is turned off, customer security-related data is maintained by the backup battery.When the primary power is turned back on,the

780

SCM resumes the state that existed before the primary was turned off.

●Module structure

Figure1visually summarizes the major portions of the SCM.The SCM implements special hardware for DES, PIN,SHA-1[6],PRNG,and modular exponentiation.In addition to its use by the more complex RSA,DSS,and DH operations,the modular exponentiation operation is also provided as an uncontrolled normal SCM function. The modulus size for the modular exponentiation,RSA, DSS,and DH functions can be up to1024bits.The SCM includes registers for maintaining customer security-related data,including master keys,identi?cation data, and authorization controls.

Burned-in values

As part of the manufacturing process,each SCM is assigned a128-bit unique cryptographic module ID (CMID).A unique1024-bit RSA key pair is also generated for each SCM;the RSA key pair includes a 1024-bit cryptographic module secret exponent(CMSE) and a1024-bit cryptographic module public modulus (CMPM).During the manufacturing process,the CMID and CMSE are burned into the SCM.Because of the technology used,there is not suf?cient room on the SCM for the entire CMPM as a burned-in value,so a128-bit MDC-4hash value[7]of the CMPM is burned in. Initialization and export controls

During the initialization process,a cryptographic

con?guration control(CCC)and the1024-bit CMPM are loaded into the SCM.The CCC is used to enforce the availability of algorithms and key lengths controlled by U.S.export regulations.The burned-in MDC-4hash value is used by the SCM to verify the public modulus loaded during the initialization process.

PKSC registers

A128-bit cryptographic module signature sequence number(CMSSN)register is included in the SCM.The CMSSN is included in each message signed by the SCM and is incremented each time it is used.It provides an audit trail of all activity performed on the SCM.

Each security of?cer has a unique1024-bit RSA key pair assigned.The SCM provides16security of?cer identi?cation(SOI)registers;each holds a security

of?cer public modulus(SOPM)and a128-bit transaction

sequence number(TSN)register.The TSN in the request message eliminates the possibility of replaying a previously signed PKSC request.

To facilitate support for multiple-signature PKSC functions,the SCM provides a signature requirement array (SRA).For each of these functions,the SRA speci?es the number of signatures required and the security of?cers

who are authorized to sign.A requested multiple-signature

PKSC function is placed in a pending-request register

(PRR)until all requirements in the SRA have been

satis?ed.781

Four PKSC authorization masks in the SCM control the use and update of each SOI register and the effects of certain PKSC functions on domains.

Transport registers

Secret information entering or leaving the SCM by means of PKSC functions is protected using the transport registers.The transport mechanism is based on the

Dif?e–Hellman(DH)protocol.All DH registers are 1024bits long and include a modulus(DHm),a generator(DHg),a secret exponent(DHx),and the public result of the exponentiation(DHf).

The DH protocol results in two secret transport keys:

a128-bit basic transport key(BTK)and a320-bit public transport key(PTK).The use of two transport keys provides better separation between DES-based and

PKA-based operations and also reduces the problems involved in making the SCM exportable.

Several transport operations involve extracting a master key,or a value encrypted under a master key,and encrypting the value under a transport key.These operations use the encrypted basic extracted key(EBX) and encrypted public extracted key(EPX)registers to hold the results.

Domain-based registers

Domain-based registers are replicated for each of the sixteen cryptographic domains.Three master keys are used to protect application keys maintained outside the secure boundary.The DES master key(DMK)protects DES keys,the signature master key(SMK)protects private keys for digital signature,and the receive master key(RMK) protects private keys for importing DES keys.The use of three master keys provides maximum separation among the three types of applications.An auxiliary DES master key(AMK)is provided to facilitate dynamic update of the DES master key.

A pro?le register is used to enable or disable certain normal SCM functions.These functions are divided into groups.A bit in the pro?le register is assigned to each of these groups.A set of key part registers is provided to enhance the manual key entry process.This allows up to three key parts to be stored inside the SCM before the control program accepts them.

PKSC facility

The Integrated Cryptographic Facility(ICRF) implemented on bipolar machines included a manual control panel for use by security of?cers.The control panel,placed on the server,included a key entry device and manual switches.The manual switches,operated by brass keys,provided cryptographic controls with dual control.Secure communication between the control panel and the tamper-resistant cryptographic module was provided by means of a tamper-resistant cable.The cost of this approach,especially with regard to the secure cable, was signi?cant in previous implementations,but with the CMOS technology used for SCM,the entire cryptographic module is implemented in a single chip,and it is not practical to attach a tamper-resistant cable to it.

With the SCM,the manual control panel and the key part entry device are provided by means of remote secure workstations,the secure cable is replaced by the use of public keys and digital signature over a public channel which does not require security or integrity,and the dual control function is enhanced by means of an N-of-M voting control mechanism.

The PKSC facility consists of a number of functions and registers for supporting module initialization,key entry, and module control from a remote site with extremely high security and integrity in the interactive secure workstation environment.This facility is a replacement

of the tamper-resistant cable used in ICRF and

provides a great enhancement for cryptographic

system management.

●PKSC functions

PKSC functions are divided into the following categories: initialization,query,transport-key management,multiple signature,and co-sign.The initialization functions are used only during the initialization process and are not discussed here in detail.The query functions are provided to examine the SCM status,and query requests are not signature-controlled.All other PKSC functions are signature-controlled.The transport-key management functions are used to establish transport keys using the

Dif?e–Hellman protocol and are single-signature functions.The multiple-signature functions are provided for performing key entry,control setup,and other critical functions.Performance of multiple-signature functions is subject to control speci?ed in the signature requirement array(SRA)and is achieved by digital signature using the co-sign function,which itself is a single-signature function.

●PKSC security

PKSC public audit

Public audit of the SCM status and the results of previous operations is provided by means of query functions.Query functions are provided to read all public information and the MDC-4hash value for each secret value in the SCM. Queries can be requested without requiring any authentication and authorization to be performed by the SCM.This allows public audit of the SCM to be performed by anyone to ensure integrity at each step of all security-critical processes,such as installation of identi?cation data,

782

authorization controls,and master keys,and transfer of master keys or PKA objects.

PKSC authentication

Messages transmitted between the SCM and security

of?cers at secure workstations using PKSC functions

are authenticated for originator and integrity in both directions.This is achieved by using the RSA digital signature.A request message for a security-relevant PKSC function must be signed by the requesting security of?cer using the security of?cer’s private key.The signature is veri?ed by the SCM using the public modulus in the SOI register associated with the requesting security of?cer before the request is accepted.A security-relevant reply message for a PKSC request is signed by the SCM using the SCM’s private key.The signature is veri?ed by the receiving security of?cer.In either direction,an ISO-9796 signature[8]of an MDC-4hash value of the message is used,and a?xed value of65537(216?1)is used as the public exponent for all SCMs and security of?cers. Message freshness is also ensured in both directions to eliminate the possibility of replaying any signed message. Query requests include a128-bit value called a query ID, which is returned in the signed reply.The security of?cer can ensure the freshness of reply messages by placing a fresh random number in each query request.Replay of signed requests is prevented by means of the TSN?eld in the SOI register.When the security of?cer public modulus is loaded into the SOI register,a fresh128-bit random number is placed in the TSN?eld.After the SOI register has been loaded,the security of?cer must query the current TSN.The current TSN must be included in the signed portion of the request;if the TSN in the request does not match the TSN in the SOI register,the request is rejected by the SCM.Each time a signed request is accepted,the SCM increments the TSN for the requestor. Thus,each request must be different.Each signed reply contains the MDC-4hash value of the original request in the signed portion of the reply message,thus ensuring freshness of the reply message.

When a multiple-signature request is pending in the PRR,the MDC-4hash value of the entire original request,called a PR hash,is included in the PRR.Co-sign requests by security of?cers,who are authorized to supply additional signatures,must include this PR hash.This ensures that the pending request has not been changed between the time the security of?cer queries the PRR and the time the request is co-signed.

Certain operations must be performed using multiple requests.For example,several query functions must be performed to obtain a complete report of the SCM status.As another example,multiple transport-key management functions must be performed to achieve

the Dif?e–Hellman key agreement protocol.To solve the atomicity problems,the cryptographic module signature

sequence number(CMSSN)is used.This number is set to

a random number during the initialization process.Each

time,after a reply message is signed by the SCM,the

CMSSN is incremented.Since performance of any PKSC

function that changes the SCM status provides a signed

reply message,consecutive CMSSNs returned by

sequential PKSC executions ensure that no such

intervening function execution has occurred.

PKSC authorization

A security of?cer can request signature-controlled

functions only if the public modulus for that security

of?cer is in an SOI register enabled for verifying the

signature of a signed request.After the signature of the

request is veri?ed by the SCM,a single-signature request

can be performed immediately,but a multiple-signature

request is placed in the PRR for further authorization

checking using the SRA.

PKSC authorization masks

Four PKSC authorization masks provide additional control

of certain PKSC functions.They are summarized as follows:

1.Security of?cer signature mask(ASM)This mask

speci?es which SOI registers can be used to verify the

signature for a signed request.This allows activation

and deactivation of security of?cers without requiring

the corresponding SOI registers to be updated.

2.Security of?cer identi?cation register change mask

(ACM)This mask speci?es which SOI registers can be

updated by the load SOI register function.This

provides a safeguard to prevent security of?cers of

critical systems from being removed from the SCM.

3.Domain-extraction mask(DXM)This mask speci?es

the domains whose master keys are allowed to be

transferred out by means of the extract-and-encrypt

functions.This mask also controls whether PKA objects

are allowed to be transferred in or out of a particular

domain by means of the import PKA object and export

PKA object functions.

4.Domain-change mask(DCM)This mask speci?es

the domains whose registers(master keys,key part

registers,and pro?le register)can be changed by

multiple-signature functions.This mask can be used to

protect the domains for critical systems from being

modi?ed.

Handling of multiple-signature request

Performance of security-critical PKSC functions may

require multiple signatures,as speci?ed in SRA,from

different security of?cers.Before all requirements

speci?ed in SRA are ful?lled,the request is placed in the

pending-request register(PRR).Authorized security783

of?cers can provide needed signatures by using the co-sign function to sign the pending request.

The following summarizes the multiple-signature functions:

1.Load SOI register.

2.Load SRA and PKSC masks.

3.Zeroize domain.

4.Load pro?le register.

5.Create transport keys using DH.

6.Load DES key or DMK.

7.Load RMK or SMK.

8.Extract and encrypt DMK.

9.Extract and encrypt RMK or SMK.

10.Import PKA object.

11.Export PKA object.

Pending-request register

The pending-request register has the format shown in Figure2.The signature summary mask(SSM)contains 16bits and indicates which security of?cers have signed or co-signed the pending request.The pending-request text contains portions of the pending request.PR hash is the MDC-4hash value of the entire original request and is included in each co-sign request for the pending request. Signature requirement array

The signature requirements for multiple-signature functions are speci?ed in the signature requirement array inside the SCM.There is one entry for each multiple-signature function.Figure3shows the entry format. Each entry contains three requirement?elds,and each requirement?eld contains a4-bit count and a16-bit mask. The count speci?es the number of signatures required, and the mask speci?es the security of?cers whose signatures are counted.If the count is zero,the requirement is considered to be satis?ed and the mask

is ignored.All three requirements must be met before

the pending function is performed.

The three N-of-M controls can be used in several ways. The three requirement?elds could be set up,for example, one for each of three departments and requiring a signature by at least one member of each department;or for two departments and a group of secure workstations, requiring a certain number of signatures from each department and at least two different workstations.In another use,a requirement?eld can be assigned to a group of automated audit and veri?cation programs,each operating in the role of a notary,recording and then signing the function only if a prede?ned set of conditions have been met.

Note that,in an SRA entry,if a counter value is greater than the total number of authorized security of?cers speci?ed in the corresponding mask,the requirement can never be satis?ed,and the associated PKSC function is effectively disabled.In the load-and-lock environment, after master keys have been installed using the clear master-key entry functions,the pro?le register is set to disable these functions.To prevent these functions from subsequently being enabled,and to prevent master keys from being changed by any other means,the load-pro?le-register,load-SRA-and-PKSC-masks,load-DES-key-or-DMK,and load-RMK-or-SMK PKSC functions must also be disabled by means of specifying the SRA entries so that signature requirements for these four PKSC functions can never be satis?ed.The only way to change master keys is to perform an SCM reset,which erases all customer data and places the SCM in the noninitialized state. Performance of multiple-signature function

When a multiple-signature request is received,the signature is veri?ed.If veri?cation is successful,the requested function is loaded into the PRR,and the

bit in the signature summary mask corresponding to the requestor is set to one.If all SRA requirements for the pending function are satis?ed,the function is performed; if the requirements are not all satis?ed,the request is left in the PRR waiting for additional signatures.

Each time a co-sign request is received,the SCM

veri?es the signature of the requestor and compares the hash value in the co-sign request with the one in the PRR. If veri?cation is successful and the PR hash values match, the bit corresponding to the co-signing of?cer in the signature summary mask is set to one.When all

signature 784

requirements are satis?ed,the pending function is performed.

PKSC secrecy

Secret information transmitted between the SCM and another external system using PKSC functions is protected under a transport key.Transport keys are derived by using the Dif?e–Hellman key agreement protocol.The SCM includes a set of DH registers,two transport-key registers, and several transport-key management functions to support the protocol.This entire process can be audited by using query functions to ensure that the correct transport keys are established between intended systems by authorized security of?cers.The DH modulus size

can be up to1024bits,and each execution of the DH key agreement protocol creates two transport keys:

one contains128bits and the other,320bits.

When secret information is protected using the128-bit basic transport key(BTK),the encryption uses the two-key TDES TECB mode of encryption[9].When secret information is protected using the320-bit public transport key(PTK),192bits of the PTK are used as three DES keys,and the remaining128bits are used as two64-bit secret initial chaining values.Secret information is?rst encrypted using CBC-mode DES encryption[10]with the ?rst key and the?rst secret initial chaining value.The result is then decrypted using CBC-mode DES decryption with the second key and the initial chaining value of zero. The result is again encrypted using CBC-mode DES encryption with the third key and the second secret initial chaining value.This process,sometimes referred to as inner chaining,is much stronger cryptographically than outer chaining,that is,the TDES TCBC mode of operation[9],which might be considered?rst in our particular use.

The RSA key pair of the SCM is used for authentication only;it is not used for protecting the secrecy of sensitive data.Thus,compromising the key does not itself cause signi?cant exposure,since it is nontrivial to impersonate the SCM in a real-time environment.If the key were also used for encryption,compromising the key could compromise all secret values ever protected under the key.

Using the transport key established by the

Dif?e–Hellman key agreement protocol is a better approach,because1)a different transport key can be used for each transaction and2)the transport key can

be erased when the transaction is complete.

PKA facility

The PKA facility provides functions to perform digital signature using RSA and DSS,and DES key distribution using RSA and DH.Private keys in operational form are called PKA objects and are protected under either of two master keys:The signature master key(SMK)protects

private keys for digital signature,and the receive master

key(RMK)protects private keys for importing DES keys. Functions using the RMK and SMK are called RMK-

based and SMK-based functions,respectively.These

functions are pro?le-controlled,with separate pro?le bits

assigned to RMK-based normal use,RMK-based PKA

object import,SMK-based normal use,and SMK-based

PKA object import.

Protection of private keys

Since keys used in most public-key algorithms cannot be

changed frequently,their lifespan is usually much longer

than that of DES keys.In addition to the use of192-bit

RMK and SMK,other special considerations were given

to the PKA design to ensure that extremely high security

is provided for private-key protection,so that maintaining

them outside the SCM is not a weakness.

Information about a private key consists of both secret

and public parts.The secret part is strongly encrypted

when it is outside the SCM.Although the public part does

not require encryption,its integrity affects the secrecy of

the corresponding private key.To ensure that no data can

be practically substituted or modi?ed,information about

a private key is entirely encapsulated.Encapsulation is

achieved by placing all information about a private key in

an object.The public part is stored in the clear;the secret

part is encrypted.The SHA-1secure hashing algorithm is performed on the clear value of both public and secret

parts in the object.The hash value is stored as part of

the object;it is generated by the SCM when the object is

created and is used by the SCM to verify object integrity

when the object is used.

When a PKA function using a private key is requested,

the designated object is provided to the SCM as an input

operand of the function.Before the object is accepted,the

integrity of the object is veri?ed by the SCM.The SCM

?rst recovers the clear value of the private key and

generates an SHA-1hash value on the clear contents

of the object.The generated SHA-1hash value is then

compared with the referenced one in the object.If the

comparison fails,the object is rejected,and the requested

function is not performed.

Secret parts in an RSA,DH,or DSS object are

encrypted under a unique320-bit object protection key.

The encryption algorithm is the same as that used by the

320-bit public transport key.The object protection key is

encrypted under the192-bit RMK or SMK using the same algorithm,except that all initial chaining values are zeros.

A unique object protection key is used in each object,

and the key is internally generated by the SCM when

the object is created.This enhances security,because compromising an object protection key compromises only

one object.This also enhances the security of the RMK785

and SMK,because no plaintext–ciphertext pair of any data under RMK or SMK is available to applications.The encrypted object protection key is encapsulated in the object.

Object and key generation

Functions are provided to create RSA,DH,or DSS private-key objects from clear input,and to import them protected under a DES KEK with a special control vector. Functions are provided to generate DSS and DH private-key objects with the secret information generated internally within the SCM.A?eld in the object indicates how the object was created.

RSA key generation is not provided in the SCM;rather, the SCM must depend on an external system to generate RSA key pairs for applications.RSA key generation is a complex process and is not suitable for a hardware-only implementation.Additionally,in an enterprise server,it is expected that the number of RSA private keys used will be small,and that RSA key generation will be a very infrequent event.In the interactive secure workstation environment,these keys can be generated in the secure workstation.

Master-key update

It is expected that there will be cases in which the RMK and SMK must be updated.This could be the case,for example,when enterprises are consolidated,when a security of?cer leaves,or when a key part is compromised. Dynamic master-key update is provided for the DMK. This is accomplished by means of an auxiliary DES master key(AMK)register.The new master key can be loaded into the DMK register,and the old value of DMK can be placed in the AMK register.DES keys encrypted under the old value of DMK can be converted to become encrypted under the new master key by means of the reencipher-from-old-master-key function,which is a

pro?le-controlled,normal SCM function.

Because of the nature,use,and lifetime of private keys,it is expected that control and handling of objects protected under RMK or SMK is a more sensitive matter than that of DES keys,and that a more granular control is required.It is also expected that the number of private keys used in the server environment is quite small—perhaps only one or two.To provide the appropriate granularity,special PKSC controls were provided to permit PKA objects to be exported and imported individually with multiple control.These controls also provide for PKA-object transfer between two cryptographic systems.When the SMK or RMK is updated,affected PKA objects become invalid,and a copy of these objects must be imported by means of the import-PKA-object PKSC function.Object transfer

For backup and recovery,a means must be provided for object distribution with tight control.An object can be exported from one system and imported to another by means of the export-PKA-object and import-PKA-object PKSC functions.Public auditing and multiple control ensures that only designated objects are moved.These PKSC functions reencipher the object protection key from being encrypted under RMK or SMK to being encrypted under the320-bit public transport key,or vice versa.Since encapsulation is based on the clear value of the object protection key,object integrity can be veri?ed by both the sender and the receiver.

DES-based facility

DES-based functions use the DMK and are pro?le-controlled.This section describes only the new functions and features.Separate pro?le bits are assigned for functions that reset domain,for each type of veri?cation pattern supported for DES-based keys,for hash values on each of the master keys,for zeroizing the old,new,and current DMK,and for clear master-key entry of each of the three master keys in each domain.

The enhancements which are new in the SCM are summarized as follows.

Improved encryption

New encryption functions include TCBC and TECB modes of triple-DES(TDES)cipher.

Improved MAC

New MAC functions include a two-key MAC de?ned in ANSI X9.19[11]and a three-key MAC,which is the last block of ciphertext using three-key TCBC-mode TDES encryption.

Improved key types

ICRF had ten key types.The SCM adds additional variability in the control vector(CV),resulting in more

?exibility but also reducing the total number of key types. Control vector is a means of implementing the key-separation concept,which requires that keys be used

only in the prescribed operations according to the key type.A detailed description of this concept and some implementations are provided in[1,2].

The MAC generation key and MAC veri?cation key types are merged into a single MAC key type with two CV bits:a MAC generation bit and a MAC veri?cation bit. Similarly,the PIN generation key and PIN veri?cation key types are merged into a single PIN derivation type with two CV bits:a PIN generation bit and a PIN veri?cation bit.One new key type has been added—a data-encryption message-authentication(DEMA)key type with four CV bits:encipher,decipher,MAC generation,and MAC

786

veri?cation.CV bits were added to the exporter KEK and importer KEK to control whether the key could participate in key generation,key translation,and key import and export functions.

With this change,the SCM includes a larger number

of the control vectors supported by IBM4753. Improved control of key state change

The most signi?cant CV change is the key distribution control,which can be set to prohibit a key encrypted under DMK from being exported.In ICRF,any key in the operational state could be converted to the exportable state.A CV bit has been added to all key types,except the data-encrypting key type,to control whether a key in the operational form can be exported.This bit cannot be applied to the data-encrypting key type because the CV for this key is all zeros.The data-encryption

message-authentication key provides this control.

●Processes

This section describes several processes which use the functions described earlier in the paper.

Initialization process

When an SCM is shipped with the enterprise server to the customer,when the primary power is turned on after both power sources have been removed,or when an SCM reset is performed,the SCM is placed in the not-initialized state.In this state,all security-relevant functions are disabled,but non-security-relevant functions are enabled because they are not subject to the control of U.S.export regulations.The initialization process is performed to change the SCM state from the not-initialized state to the initialized state,after which the customization process can begin.

The initialization process uses a set of initialization functions to establish a set of legitimate cryptographic con?guration controls(CCC).The performance of initialization functions is similar to that of multiple-signature PKSC functions,except that signatures for initialization functions are provided by IBM.The initialization functions are currently delivered to the customer on an enablement diskette.Without the enablement diskette,security-relevant functions cannot be enabled and,thus,can be exported and be included

in all machines.Only the enablement diskette must be export-controlled.Note that an SCM test mode can be established by loading a particular CCC.In this mode,the pseudorandom number generator can be placed and maintained in a deterministic state to produce predictable outcomes.This mode is used during the manufacturing process for testing and is disabled for all SCMs by initialization functions.Customization process

After the SCM has been initialized,security of?cers

can install customer security-related data,including

identi?cation data,authorization controls,and master

keys.In the interactive secure workstation environment,

public identi?cation data and authorization controls,

including security of?cer identi?cation,speci?cations for

SRA and PKSC authorization masks,and pro?le registers

should be installed?rst.This can be done as a single step

and then authenticated.Customer secret master keys are

installed in the SCM only after identi?cation data and authorization controls have been properly established.In

other environments,master keys may be installed before

?nal controls in the pro?le register or signature

requirement array are set.

Master keys and initial DES keys are installed using

split knowledge.That is,the key is split into multiple

key parts,and each key part is installed separately.

Additionally,each key part may be encrypted under a

transport key while being transmitted from a secure

workstation to the SCM.The load-DES-key-or-DMK

function is provided to install key parts of a DES key or

DMK using the128-bit basic transport key;the load-

RMK-or-SMK function is provided to install key parts of

the RMK or SMK using the320-bit public transport key.

After this process is completed,the SCM is ready to

perform all enabled functions for cryptographic

applications.

Master-key transfer

The PKSC extract-and-encrypt functions permit the master

keys of one system to be securely copied into another.For

backup or performance,this master-key transfer capability

simpli?es cryptographic system management for

establishing the same image on multiple systems.By

using the DH protocol,a common transport key can be established inside the secure boundary of each of two

SCMs.The source information used to establish this can

be queried.This permits an auditing program to verify

that the proper DH parameters have been used and thus

that the transport key is not known outside of the two

SCMs.This permits a master key to be encrypted under

the transport key extracted from one SCM,transferred

to the other SCM,decrypted in the second SCM,and

installed with no exposure to compromise.For DMK

transfer,the128-bit basic transport key is used;for RMK

or SMK transfer,the320-bit public transport key is used.

A similar PKSC process is used to import or export

PKA objects as previously described in the subsection

on object transfer.

Pseudorandom number generator(PRNG)

The overall security of the SCM depends on a secure and

reliable random number generator.Implementation of a787

true random number generator,thermal noise or Geiger counter,for example,was out of the question;such circuits are not compatible with the CMOS circuit design and do not meet the requirements for reliability,testing, and diagnostics for this product.

Much special attention was devoted to the design of the pseudorandom number generator(PRNG).There is a broad spectrum of uses for pseudorandom numbers (PRNs)by the SCM.Random numbers are generated and used internally for the crypto module signature sequence number and the transaction sequence numbers(both are 128bits and public)and for Dif?e–Hellman values(1024 bits and secret).Random numbers are generated and provided to applications in a protected form for use as DES keys(64,128,and192bits);DSS private keys and message secret numbers(both are160bits);object protection keys(320bits);confounders(64–192bits);and padding(8–192bits).Random numbers are also provided to applications in the clear for additional uses such as initial chaining values and the generation of prime numbers.

Such diversi?ed uses for PRNs indicated that multiple PRNGs customized to individual requirements were impractical;rather,a single very strong PRNG was required.

Since random numbers are used during the initialization process,the PRNG must be initialized before the remaining stages of the process can be performed.Thus, the PRNG had to be self-initializing rather than being dependent on other means for the installation of an initial seed.This requirement differs from the environment assumed by most standards,where initialization is outside the scope of the standard.

The generate pseudorandom number function provides a64-bit pseudorandom number in the clear.In ICRF,this function was not available until after the master key had been installed.In the SCM design,the PRNG is the?rst secure portion of the machine to become available from the not-initialized state.Since the output of the PRNG is designed to be unbreakable,the generate pseudorandom number function is not pro?le-controlled and is available whenever the PRNG is initialized.

●Design criteria

The design criteria for the PRNG were as follows:

1.Randomness The output of the pseudorandom number

generator must appear to be a string of random

independent bits with no bias.By“no bias,”it is meant that the values zero and one are equally probable for each bit.By“independent,”it is meant that given any number of output bits,it is computationally impractical to compute(or predict)the value of any unknown bit.

2.Cryptographic strength Since the output bits of a

PRNG are not truly independent,we de?ne the“work factor”of a PRNG as the order of magnitude of the

most ef?cient algorithm capable of computing the value of unknown bits.For any particular use of the system, the PRNG should not be the weakest link.All secret

values in the SCM have at least128bits,thus implying

a cryptographic strength of2128work factor;the PRNG

must have a matching strength.

In some PRNG designs,the work factor to compute the value of future bits may be different from that to compute the value of previous bits.These are referred to as the forward and backward work factors,

respectively.It should be expected that the use of a

hash operation in the feedback path may result in the backward work factor being larger than the forward

work factor.It should also be noted that for some

types 788

of compromises,the backward work factor is the more important of the two.This would be the case,for example, if the action of compromising were to cause the unit to become no longer usable or placed in a tamper state.

3.Secure initialization and re-initialization The PRNG

must contain adequate entropy before it becomes

operational.Because of the tightly controlled

manufacturing processes used to build the SCM,unless special action is taken,the PRNG will have a tendency to repeat the same sequence each time it is initialized.

The probability of causing the same PRNG(or

different PRNGs)to return to the same state by

repeatedly forcing initializations is required to be no

larger in magnitude than the probability of repetition of the state in normal operation.

4.Recovery from compromise Each value output by the

PRNG gives away information and reduces the entropy.

Also,although the PRNG has no known design

weaknesses,it is not a good security design principle to assume that no weaknesses exist.To ensure long-term security,and to minimize exposure from compromises due to unknown reasons,a mechanism to add entropy is needed.

5.Prevent backtracking from compromise The SCM is

tamper-resistant,and it is highly unlikely that a

perpetrator could compromise the PRNG state.But,

in the unlikely event that the PRNG state should be

compromised,it is likely that the SCM would no longer be operational.Thus,the backward tracking problem is more serious but also much more easily solved.

6.Reliability and testability Hardware reliability in the

S/390Parallel Enterprise Server*environment is

extremely important.To meet these objectives requires extensive testing.Testing of the design must be

performed during the development process,and testing of each individual product must be performed during the manufacturing process and also in the?eld.Testing presents unique problems because it is normally based on predictability and repeatability,which are contrary

to the PRNG output in normal operation.

7.Restoration after power-off Initialization of the PRNG

is a sensitive,complex,and time-consuming operation.

Once it has been initialized,subsequent initialization should not be necessary when power is dropped and

restored.This includes the case in which power

is unexpectedly lost without time to react as the power is going down.Thus,information must be saved in

advance in preparation for a potential restoration.

●PRNG operation

Figure4shows an overview of the implementation of the PRNG.Figures5through10show more detail for speci?c situations.PRNG working registers

The PRNG includes a real-time counter(T),a

randomization state(S),and a7-bit pseudorandom

number initialization count(PRNIC).The PRNIC

indicates the remaining number of external randomization

events required before the PRNG is considered to be

initialized.The PRNIC is initially set to127,and the

PRNG cannot be used for generating PRNs until the

PRNIC is zero.When the PRNIC is nonzero,it is

decremented by one each time an external randomization

event occurs.

The128-bit randomization state S provides the basic

strength of the PRNG.When initialization is complete,

S contains secret

information.789

The 64-bit real-time counter T is incremented

continuously at the fastest rate possible for the machine.T provides three important factors:

1.T is used as the basis for providing entropy.This is

based on the assumption that although the value of T is known approximately,it cannot be known to the exact cycle.The amount of entropy added by T depends on how accurately the difference between several values of T can be known or controlled.This value is called “jitter”and should be distinguished from two other values associated with T ,“drift”(variation in stepping rate of T )and “epoch”(time at which T was zero).2.The use of T ensures that the output of the PRNG does not have a short-term cycle of repetition.(On the G5processor,the time for T to wrap around is several hundred years.)

3.When more than 64bits of PRNs are required with no intervening idle period,the changing value of T provides different output information for each execution.The reliability of T is crucial to the PRNG security.Error-checking and correction (ECC)code is used not only on the counter data but also on all control signals.Additional independent checking is also continuously performed to ensure that the counter is incrementing;otherwise,the checking logic will shut down the entire

SCM.

790

PRNG battery-backup registers

The SCM is powered by two sources,primary power and battery-backup power.Most of the logic circuitry and active registers in the SCM are designed for speed at the expense of additional power consumption and are powered only by the primary power source.Registers T,S,and PRNIC are of this type,and information in these registers is lost when primary power is removed.

Associated with registers T and S are registers BBT and BBS(battery-backup registers).BBT and BBS are powered by both the primary power and battery-backup power sources.This storage operates at lower speed,but has lower power consumption,and the information is

maintained when primary power is removed.(There is also battery-backup information,not shown in the?gures, indicating the initialization state of the PRNG.)

The battery-backup registers maintain suf?cient information that after the PRNG has been initialized, initialization is not required during subsequent power-on sequences.

SCM reset

It is assumed that the state of the registers in the SCM after power-on is not random,but rather may be quite repeatable.Thus,it is necessary to introduce randomness into the PRNG in response to some external event. Since randomness is introduced in this way,SCM reset

is de?ned to set all registers to a known state,thus permitting validation of error-checking and correction codes in these registers.SCM reset causes T and S to be set to zero,and PRNIC to be set to127.

Internal randomization event

During normal operation,the randomization state S may be updated as the result of either of two randomization events.(Updates of registers are shown in Figure4by means of a signal,such as“ie,”controlling a gate,shown as“g”in the?gure.)

The internal randomization event(ie)causes S to be updated from the output of hash operation H1.Whenever the SCM is not performing other activities,a continuous sequence of internal randomization events is performed until some other activity is requested,at which point the internal randomization event in process is canceled.The sequence of internal randomization events performed without any other activity is called an“idle window.”There are no limitations on the size of an idle window,and it may be small enough that no internal randomization events occur.Hash operation H1is the MDC-4of S and T.

The internal randomization event adds entropy on a continuing basis without requiring any special action on the part of the program.External randomization event

As part of the execution of any PKSC query function,an

external randomization event(xe)is performed which

causes S to be updated from the output of hash operation

H2.Each PKSC query function includes a128-bit value R,

which is used as a randomization value.Hash operation

H2is the MDC-4of R,S,and T.

Execution of any PKSC query function continues to cause

the external randomization event to be performed even

after the PRNIC is zero.This permits the cautious user to

add additional entropy and perhaps randomization to the

PRNG at any time.In this context,we view“entropy”as

the amount of unpredictability added to the PRNG as a

result of jitter,assuming that an observer knows the randomization value along with the epoch and drift values of

T.“Randomization”is the complete reseeding accomplished

by this action if it can be accomplished without the

observer’s knowledge of the randomization value.

Initialization complete

When127external randomization events have occurred

and the PRNIC is set to zero,a save event occurs.The

save event provides information for restoration after

power loss;it causes the output of hash operation H4to

be placed in BBS and the current value of T to be placed

in BBT.Hash operation H4is the MDC-4of T and S.

PRN output

PRN output is produced64bits at a time using hash

operation H3.H3produces a128-bit intermediate value

using the MDC-4of T and S.The left64bits of this

intermediate value are exclusive-ORed with the right

64bits to produce a64-bit result.When more than64bits

are required during execution of certain cryptographic operations,H3is invoked multiple times,with no

intervening update of S.Each of these outputs is different

because T is incremented at approximately a100-MHz

rate,while it takes approximately one microsecond to

produce a64-bit PRN

output.791

Power-on reset

The action taken by power-on reset depends on whether the SCM has been previously initialized.If not,power-on reset causes the same action as SCM reset.If the SCM has been previously initialized,power-on reset causes

T and S to be restored from the values in BBT and BBS;then,after several cycles,a save event occurs. Periodic save

During normal operation,a save event may be performed periodically.This keeps the value of BBT more or less current and avoids the possibility of restoring T to a very old value.

Test facilities

The design of the PRNG includes special diagnostic facilities which permit extensive testing of the PRNG registers,data path,and controls.These facilities permit each of the hash and feedback operations associated with the PRNG to operate independently and in a completely deterministic manner.They also permit the counter T to be stopped or single-stepped.These diagnostic facilities are operational only when the test mode bit in the CCC is a1. The program can ensure that the SCM is not in test mode by means of the query module information PKSC function.

●Security analysis of PRNG

If we start with the simplifying assumption that T can be known exactly,there is a relatively simple algorithm to compute unknown bits on the PRNG.If several output values,with no intervening randomization event,are available and T is known exactly for each of these values, S can be found by means of an exhaustive search.The work factor for this search is2128.From this value for S, and exact values for T,all outputs generated using this

S can be computed.Additionally,if the exact value of T is known for future randomization events,the future values of S can also be computed.

Given exact values for T,the same process can be extended with the same work factor,even if the known values are separated by intervening randomization events. In the same way,given exact values for T,the process can be extended to compute values previous to the known values by picking an earlier starting point to begin the exhaustive search.

The above approach can be extended to the case for which T is known only approximately by including all possible values for T as part of the exhaustive search.The unknown value of the epoch of T adds a simple increase to the work factor.It is assumed that the effect of drift

is insigni?cant in comparison to the unknown value of

the epoch and can be ignored.Jitter in the value of T associated with known output values results in a simple increase in the work factor,and the exact value of T for these events will be revealed as a result of the search. Jitter in the value of T associated with unknown output values results in uncertainty in the unknown values,but does not increase the work factor.Jitter in the value of

T associated with randomization events has a compound effect on the work factor;not only must additional values for T be included in the exhaustive search,but the effective size of S over time is increased,thus increasing the space that must be searched.

The amount of entropy added by T depends on the jitter.It is assumed that the jitter for an external randomization event adds at least one additional bit of entropy.Thus,the fact that127external randomization events must be performed before the PRNG is initialized increases the entropy to the maximum amount containable in S.

After initialization is complete,both external and internal randomization events continue to add entropy. For internal randomization events,the timing between events within a single idle window may be repeatable,but the unpredictability of the timing for the entire window adds at least one additional bit of entropy.

While measurements and controls accurate to within one or two cycles would be possible in a laboratory environment,it is unrealistic to expect this type of accuracy in a production environment.On the G5processor,for example,T steps at a rate of the order of100MHz,

the stepping rate of the time-of-day clock is64MHz, and the time to perform one internal randomization event or generate a64-bit PRN is of the order of1?s. But the path length for the operating system to send an application request to the SCM is several microseconds, long enough to permit several internal randomization events between requests.Thus,when no asynchronous operations are in progress,at least one bit of entropy is added for each synchronous request,but as viewed by the application program,the effective jitter is much larger. Asynchronous operations may reduce the number of internal randomization events,but only at the expense of increasing the effective jitter,since the execution time of PKA and PKSC functions is measured in milliseconds. Each of the operations H1,H2,H3,and H4is the cryptographically strong MDC-4hash algorithm.The main difference between the operations is the order in which S,T,and R are fed into the MDC-4operation.The use of strong hash algorithms rather than an encryption algorithm increases the backward work factor in the case of certain compromises.

In the restoration of T and S from BBT and BBS,no attempt is made to eliminate repetition of values in T. Instead,S is updated using a hash operation different from those used to update S in the normal process.This reduces the probability of repetition of S to the same order of magnitude as the strength of the PRNG.

792

In summary,the PRNG security has a security level that is higher than a work factor of2128.From a given output, it takes a work factor of about2128to derive the PRNG state.However,even if the state could be compromised, there would be no long-term effect,because entropy is continually being added.

Recently,Keisey et al.[12]studied attacks on several PRNGs and suggested six design guidelines.Our PRNG design was completed four years before that analysis appeared,but it complies with all suggested guidelines. Conclusions

As has been shown in this paper,the SCM is a high-performance,highly secure product designed for the server cryptographic environment.It was designed to be used in conjunction with several secure workstations operated by security of?cers.The SCM provides an optimum balance between performance and?exibility by implementing high-usage cryptographic operations with high security and high performance,while permitting less frequent operations to be performed in the associated secure workstations.

As we have shown in this paper,for a hardware implementation the time to market after design“freeze”presents a major dif?culty in currency in the standards area.Standards will continue to become more important in the future.Keeping track of existing and emerging standards requires much effort;interpretation and application are even more dif?cult tasks.

Much has been learned during the four and one-half years it took to develop,design,test,and ship the SCM. If we were starting over again,we would use DSS rather than RSA for the PKSC digital signatures;DSS has several advantages over RSA:

1.With RSA,the dif?cult mathematical operations

(choosing two strong primes)must be performed

secretly;this creates an exposure to lack of auditing.

With DSS,the dif?cult mathematical operations

(choosing a strong prime and a generator)need not

be performed secretly and can be publicly audited.

2.With RSA,key generation is too complex to be

implemented in pure hardware;thus,this operation

cannot be provided inside the SCM.With DSS,key

generation is a simple operation of picking a160-bit

pseudorandom secret value and can be performed by

the SCM inside the secure boundary.

3.RSA requires formatting,adding an additional step in

the signature generation and veri?cation processes.

With DSS,SHA-1the hash value of the message can be used directly.

4.With RSA,the SCM private key had to be generated

during the manufacturing process and burned in at the factory.If DSS were used,the private key could have

been generated in the?eld and placed in tamper-

responsive volatile storage.

*Trademark or registered trademark of International Business

Machines Corporation.

References

1.P.C.Yeh and R.M.Smith,Sr.,“ESA/390Integrated

Cryptographic Facility:An Overview,”IBM Syst.J.30,

No.2,192–205(1991).

2.R.M.Smith,Sr.and P.C.Yeh,“Integrated

Cryptographic Facility of the Enterprise Systems

Architecture/390:Design Considerations,”IBM J.Res.

Develop.36,No.4,683–693(1992).

3.Security Requirements for Cryptographic Modules,Federal

Information Processing Standards Publication140-1,

National Institute of Standards and Technology,

Washington,DC,January11,1994.

4.Digital Signature Standard(DSS),Federal Information

Processing Standards Publication186-1,National Institute

of Standards and Technology,Washington,DC,

December15,1998.

5.Telecommunications:General Security Requirements for

Equipment Using the Data Encryption Standard,Federal

Information Processing Standards Publication1027,

National Institute of Standards and Technology,

Washington,DC,April14,1982.

6.Secure Hash Standard,Federal Information Processing

Standards Publication180-1,National Institute of

Standards and Technology,Washington,DC,

April17,1995.

7.IBM Corporation,Common Cryptographic Architecture:

Cryptographic Application Programming Interface Reference,

Order No.SC40-1675;available through IBM branch

of?ces.

8.Digital Signature Scheme Giving Message Recovery,

ISO/IEC9796,International Standards Organization/

International Electrotechnical Commission,

Geneva,Switzerland,July1991.

9.American National Standard for Financial Services,Triple

Data Encryption Algorithm,Modes of Operation,ANSI

Standard No.X9.52-1998,American National Standards

Institute,Washington,DC,1998.

10.American National Standard for Financial Services,Data

Encryption Algorithm,Modes of Operation,ANSI Standard

No.X3.106-1983,American National Standards Institute,

Washington,DC,1983.

11.American National Standard for Financial Institution

Message Authentication(Retail),ANSI Standard No.

X9.19-1986,American National Standards Institute,

Washington,DC,1986.

12.John Keisey,Bruce Schneier,David Wagner,and Chris

Hall,“Cryptanalytic Attacks on Pseudorandom Number

Generator,”Fast Software Encryption,Fifth International

Workshop Proceedings,Springer-Verlag,New York,March

1998,pp.168–188.

Received November4,1998;accepted for publication

August5,1999

793

Phil C.Yeh IBM System/390Division,522South Road,

Poughkeepsie,New York12601(pyeh@https://www.wendangku.net/doc/e95031148.html,).Dr.Yeh

is a Senior Engineer in the Systems Architecture Department

of the IBM Mid-Hudson Valley Development Laboratory in

Poughkeepsie,New York.He received an M.S.degree in

computer science and a Ph.D.degree in electrical engineering

from the University of Illinois at Urbana–Champaign in

1977and1981,respectively.In1981,he joined IBM at

Poughkeepsie,where he has worked on several architecture

assignments.

Ronald M.Smith,Sr.IBM System/390Division,522South

Road,Poughkeepsie,New York12601(rmsmith1@https://www.wendangku.net/doc/e95031148.html,).

Mr.Smith is a Senior Technical Staff Member in the Systems

Architecture Department of the IBM Mid-Hudson Valley

Development Laboratory in Poughkeepsie.He received his

B.E.E.degree in electrical engineering from Ohio State

University in1957and joined IBM at the Endicott Laboratory

the same year,moving to Poughkeepsie in1961.He worked

on assignments in circuit design,central processor design,and

programming before joining the Systems Architecture

Department in1966.

794

简单电路设计设计大全

装饰材料购销合同 简单电路设计设计大全 1．保密室有两道门，只有当两道门都关上时（关上一道门相当于闭合一个开关），值班室内的指示灯才会发光，表明门都关上了．下图中符合要求的电路是 2．小轿车上大都装有一个指示灯，用它来提醒司机或乘客车门是否关好。四个车门中只要有一个车门没关好（相当于一个开关断开），该指示灯就会发光。下图为小明同学设计的模拟电路图，你认为最符合要求的是 3．中考试卷库大门控制电路的两把钥匙分别有两名工作人员保管，单把钥匙无法打开，如图所示电路中符合要求的是 ”表示）击中乙方的导电服时，电路导通，4.击剑比赛中，当甲方运动员的剑（图中用“S 甲 乙方指示灯亮。下面能反映这种原理的电路是 5．家用电吹风由电动机和电热丝等组成，为了保证电吹风的安全使用，要求：电动机不工作时，电热丝不能发热；电热丝发热和不发热时，电动机都能正常工作。如图所示电路中符合要求的是( )

6.一辆卡车驾驶室内的灯泡，由左右两道门上的开关S l、S2和车内司机右上方的开关S3共同控制。S1和S2分别由左右两道门的开、关来控制：门打开后，S1和S2闭合，门关上后，S l和S2断开。S3是一个单刀三掷开关，根据需要可将其置于三个不同位置。在一个电路中，要求在三个开关的共同控制下，分别具有如下三个功能：(1)无论门开还是关，灯都不亮； (2)打开两道门中的任意一道或两道都打开时，灯就亮，两道门都关上时，灯不亮；(3)无论门开还是关，灯都亮。如图所示的四幅图中，符合上述要求的电路是 A.图甲 B.图乙 C.图丙 D.图丁 7．教室里投影仪的光源是强光灯泡,发光时必须用风扇给予降温。为了保证灯泡不被烧坏,要求:带动风扇的电动机启动后,灯泡才能发光;风扇不转,灯泡不能发光。则在如图3所示的四个电路图中符合要求的是 ( ) 8.一般家用电吹风机都有冷热两挡，带扇叶的电动机产生风，电阻R产生热。冷热风能方便转换，下面图3中能正确反应电吹风机特点的电路图是 ( ) 9．飞机黑匣子的电路等效为两部分。一部分为信号发射电路，可用等效电阻R1表示，用开关S1控制，30天后自动断开，R1停止工作。另一部分为信息存储电路，可用等效电阻R2表示，用开关S2控制，

简易门铃电路设计

《电子线路CAD》课程论文题目：简易门铃电路的设计

1 电路功能和性能指标 简易门铃是一种简单的门铃电路，它由分立元件和中规模集成芯片的构成，主要采用NE555定时器电路和扬声器组成门铃，利用多谐振荡电路来制作一简易单音门铃电路。它主要由一个NE555、一个47uf的电容、一个0.047uf电容、一个0.01uf电容、一个36kΩ的电阻、一个30kΩ的电阻、两个22k电阻、一个喇叭、两个IN4148高速开关二极管、一个9013三极管、一个开关和一个6v电源组成。NE555作为多谐振荡器，发出脉冲波。与传统的门铃相比，其可靠性、抗干扰性都较好，应用领域也相对较广泛。 2 原理图设计 2.1原理图元器件制作 方法和步骤： ①右键点击项目文件，选择追加新文件到项目中，在二级菜单下选择Schematic Library。 ②在放置菜单中，选择放置矩形。 ③在放置菜单中选择放置引脚。 ④在放置引脚时，按Tab键，选择引脚属性。 图1 注：在放置引脚的过程中，引脚有一端会附带着一个×形灰色的标记，该标记表示引脚端是用来连接外围电路的，所以该端方向一定要朝外，而不能向着矩形的方向。若需要调整引脚的方向，可按键盘撒花上的空格键，每按一次，可将引脚逆时针旋转90°。

2.2 原理图设计 步骤： ①创建PCB工程项目，执行File→New→Project→PCB Project，在弹出对话框中选择Protle Pcb类型并点击OK。将新建默认名为“PCB Project1.PrjPCB”的项目保存，命名为“简易门铃”。 ②创建原理图，在该项目文件名上点击右键，选择追加新文件到项目中，在二级菜单下选择Schematic。 ③保存项目目录下默认名为“Sheet1.SchDOC”的原理图文件。并命名为“简易门铃”。 ⑤绘图环境其他参数采用默认设置。 图2 编译原理图步骤： ①在原理图编辑页面，执行“Project→Compile PCB Project 简易门铃.PRJPCB” 菜单命令。 ②在Messages工作面板中，出现提醒为“Warning”的检查结果可以忽略。 图3

数字钟的设计与仿真

目录 摘要 (3) 前言 (4) 第一章理论分析 1.1 设计方案 (5) 1.2 设计目的 (5) 1.3 设计指标 (6) 1.4 工作原理及其组成框图 (6) 第二章系统设计 2.1 多谐振荡器 (8) 2.2 计数器 (10) 2.3 六十进制电路 (12) 2.4 译码与LED显示器 (13) 2.5 校时电路 (14) 2.6 电子时钟原理图 (15) 2.7 仿真与检测 (16) 2.8 部分元器件芯片结构图 (18) 2.9 误差分析 (19) 第三章小结 心得体会 (20) 致谢 (21) 参考文献 (22)

摘要 时钟，自从它发明的那天起，就成为人类的朋友，但随着时间的推移，科学技术的不断发展，人们对时间计量的精度要求越来越高，应用越来越广。怎样让时钟更好的为人民服务，怎样让我们的老朋友焕发青春呢？这就要求人们不断设计出新型时钟。在这次的毕业设计中,针对一系列问题,设计了如下电子钟。 本系统由555多谐振荡器，分频器，计数器，译码器，LED显示器和校时电路组成，采用了CMOS系列（双列直插式）中小规模集成芯片。总体方案手机由主题电路和扩展电路两大分组成。 其中主体电路完成数字钟的基本功能，扩展电路完成数字钟的扩展功能，进行了各单元设计，总体调试。 关键词：555多谐振荡器;分频器；计数器；译码器；LED显示器

前言 20世纪末，电子技术获得了飞速的发展，在其推动下，现代电子产品几乎渗透了社会的各个领域，有力地推动了社会生产力的发展和社会信息化程度的提高，同时也使现代电子产品性能进一步提高，产品更新换代的节奏也越来越快。数字钟已成为人们日常生活中：必不可少的必需品，广泛用于个人家庭以及车站、码头、剧场、办公室等公共场所，给人们的生活、学习、工作、娱乐带来极大的方便。由于数字集成电路技术的发展和采用了先进的石英技术，使数字钟具有走时准确、性能稳定、集成电路有体积小、功耗小、功能多、携带方便等优点，因此在许多电子设备中被广泛使用。 电子钟是人们日常生活中常用的计时工具，而数字式电子钟又有其体积小、重量轻、走时准确、结构简单、耗电量少等优点而在生活中被广泛应用，因此本次设计就用数字集成电路和一些简单的逻辑门电路来设计一个数字式电子钟，使其完成时间及星期的显示功能。 本次设计以数字电子为主，分别对1S时钟信号源、秒计时显示、分计时显示、小时计时显示、整点报时及校时电路进行设计，然后将它们组合，来完成时、分、秒的显示并且有走时校准的功能。并通过本次设计加深对数字电子技术的理解以及更熟练使用计数器、触发器和各种逻辑门电路的能力。电路主要使用集成计数器，例如CD4060、CD4518，译码集成电路，例如CD4511，LED数码管及各种门电路和基本的触发器等，电路使用5号电池共电，很适合在日常生活中使用。

第5章 电路级设计与仿真

第5章 电路级设计与仿真 电路设计技术是EDA 技术的核心和基础。电路设计可以分为数字电路、模拟电路、常规电路和集成电路。现代EDA 与传统的电路CAD 相比其主要区别是比较多地依赖于电路描述语言，常用的电路描述语言有描述模拟电路的SPICE （Simulation Program with Integrated Circuit Emphasis ）语言，描述数字电路的硬件描述语言。弄清电路结构形式与语言的关系以及各种语言的基本功能是学习EDA 技术非常重要的环节，这也是本章的主要目的所在。 本章将从最基本的数学和物理模型出发，引入程序化模型，介绍模拟电路与仿真、数字电路与仿真。从一般的设计原理上讲，常规电路与集成电路并没有本质的区别，本章采用的例子主要以常规电路为主，其基本设计原理也同样适合于相应的集成电路，关于集成电路设计将在后续章节中详细介绍。 5.1模拟电路模型与SPICE 程序 5.1.1 模拟电路模型 电路的物理模型是指利用电路元件（如：电阻、电容、电感等无源元件，三极管、集成电路等有源元件）按照一定的电路连接方式进行连接的图形描述方法。其中电路元件是器件的物理模型，器件模型的建立以及器件的连接是按照电学参数和基本电路功能的描述为依据的。这种电路的物理模型也叫做等效电路模型，也就是我们常说的电路。 电路的物理模型是一种简化了的直观的电路图，可以十分方便地反映电路的连接关系和基本功能，但是这个模型并不能进行直接分析，如果要对电路进行分析，还需要建立电路的数学模型。电路数学模型是根据电路的物理模型和电路分析原理得到的电路行为特性及各参数之间的数学关系。 我们在《电路分析原理》中已经建立起这样的概念，这个概念是基于一些基本的电路定律和基本定理，例如基尔霍夫定律、叠加定理、代文宁定理、欧姆定律等。 基尔霍夫定律：； 0i n 1k k =∑=0v n 1k k =∑=欧姆定律：V=IR 对于特定的电路，这些定律和定理构成了电路中物理参数之间的特定关系，这种特定关系是约束电路的基本数学模型。不同的元件具有不同的参数运算或转换关系，这种关系如表5-1所示，这是一些最基本和最简单的元件及其数学模型，复杂元件的数学模型也是由这些简单的元件按照功能需求组成的。因此，描述模拟电路的数学模型是微分方程或代数方程。 《电路分析基础》课程就是在建立了这些电路模型的基础上对电路进行分析，不论是建立电路模型或者是分析运算，电路分析是在基于电压、电流的等效模型进行的。 表5-1 电路元件及其数学描述 电路元件 符号 物理模型 数学模型(VI 关系) R v = R·i C i = C·dv/dt v = L t ·di/d v = v s , i 电阻电容电感 L 电压源 Vs 103

电子电路设计与仿真工具

电子电路设计与仿真工具 我们大家可能都用过试验板或者其他的东西制作过一些电子制做来进行实践。但是有的时候，我们会发现做出来的东西有很多的问题，事先并没有想到，这样一来就浪费了我们的很多时间和物资。而且增加了产品的开发周期和延续了产品的上市时间从而使产品失去市场竞争优势。有没有能够不动用电烙铁试验板就能知道结果的方法呢？结论是有，这就是电路设计与仿真技术。 说到电子电路设计与仿真工具这项技术，就不能不提到美国，不能不提到他们的飞机设计为什么有很高的效率。以前我国定型一个中型飞机的设计，从草案到详细设计到风洞试验再到最后出图到实际投产，整个周期大概要10年。而美国是1年。为什么会有这样大的差距呢？因为美国在设计时大部分采用的是虚拟仿真技术，把多年积累的各项风洞实验参数都输入电脑，然后通过电脑编程编写出一个虚拟环境的软件，并且使它能够自动套用相关公式和调用长期积累后输入电脑的相关经验参数。这样一来，只要把飞机的外形计数据放入这个虚拟的风洞软件中进行试验，哪里不合理有问题就改动那里，直至最佳效果，效率自然高了，最后只要再在实际环境中测试几次找找不足就可以定型了，从他们的波音747到 F16都是采用的这种方法。空气动力学方面的数据由资深专家提供，软件开发商是IBM，飞行器设计工程师只需利用仿真软件在计算机平台上进行各种仿真调试工作即可。同样，他们其他的很多东西都是采用了这样类似的方法，从大到小，从复杂到简单，甚至包括设计家具和作曲，只是具体软件内容不同。其实，他们发明第一代计算机时就是这个目的（当初是为了高效率设计大炮和相关炮弹以及其他计算量大的设计）。 电子电路设计与仿真工具包括SPICE/PSPICE；multiSIM7；Matlab；SystemView；MMICAD LiveWire、Edison、Tina Pro Bright Spark等。下面简单介绍前三个软件。 ①SPICE（Simulation Program with Integrated Circuit Emphasis）：是由美国加州大学推出的电路分析仿真软件，是20世纪80年代世界上应用最广的电路设计软件，

简单逻辑电路设计与仿真

VHDL与集成电路CAD 实验四十二简单逻辑电路设计与仿真 验项目名称：简单逻辑电路设计与仿真 实验项目性质：普通实验 所属课程名称：VHDL与集成电路CAD 实验计划学时：2学时 一．实验目的 1.学习并掌握MAX+PLUSⅡ的基本操作； 2.学习在MAX+PLUSⅡ下设计简单逻辑电路与功能仿真的方法。 二．实验要求 1.MAX+PLUSⅡ使用的相关内容； 2.阅读并熟悉本次实验的内容； 3.用图形输入方式完成电路设计； 4.分析器件的延时特性。 三．实验主要仪器设备和材料 1.PC机。 2.MAX+PLUSⅡ软件。 四．实验内容及参考实验步骤 1．用D触发器设计一个4进制加法计数器并进行功能仿真。 (1)开机，进入MAX+PLUSⅡ系统。 (2)点击File菜单Project子菜单之Name项，出现Project Name 对话框。为当 前的实验选择恰当的路径并创建项目名称(注意MAX+PLUSⅡ不识别中文 路径)。 (3)点击File菜单之New项，出现对话框，选择Graphic Editor File输入方式。 出现图形编辑窗口（注意界面发生了一定变化）。 (4)双击空白编辑区，出现Enter Symbol 对话框（或点击Symbol 菜单Enter Symbol项）从Symbol Libraries项中选择mf子目录（双击），然后在 Symbol File 中选择7474元件（双D触发器）；在prim子目录中选择电源 vcc、输入脚input 和输出引脚output。（或直接在Symbol Name 中输入所 需元件的名称回车亦可）。 (5)在图形编辑窗口中的左侧点击连线按钮(draws a horizontal or vertical line)， 并完成对电路的连线。各元件布置在合适的位置上（参考电路如图1）。 (6)在引脚的PIN_NAME处左键双击使之变黑，键入引脚名称。 (7)点击File菜单Project子菜单之set project to current file，也可点击工具栏中

模电课程设计简易门铃

科技学院 《模拟电子技术》课程设计 题目简易门铃 学生梦蔚 专业班级11级电科一班 学号201131002 院（系）电气工程学院 指导教师月英 完成时间 2013年5月16日

目录 1 课程设计的目的 (1) 2 课程设计的任务与要求 (1) 3 实验设计方案及论证 (1) 3.1方案一 (1) 3.2方案二 (2) 3.3两种方案的比较 (3) 4 设计原理及功能说明 (4) 5硬件的制作与调试 (6) 6 总结 (12) 参考文献 (13) 附录1：总体电路原理图 (14) 附录2：元器件清单 (15)

1 课程设计的目的 ?通过该项目的学习，学生应当能够读懂项目任务书，看懂任务书中的电路原理图，分析电路工作原理，根据项目实训评价明确制考核要求和评分标准。 ?能熟练运用万用表检测各元器件的质量。 ?能熟练使用各焊接工具按照电路原理较长和工艺要求完成电路的连接。 ?熟练运用电子测量工具完成电路的调试和故障的排除。 ?具备一定的团队合作开发能力。 2 课程设计的任务与要求 ?设计一个门铃电路，两端接6v的电压，设置一个按钮开关，当按下开关时发出门铃在任听觉围的“铃”声，松开开关，则声音消失。 ?其中先设计出电路图，再通过电路图演示软件演示出其可用性，最后进行实际操作进行电路元件的选择与焊接。 ?要求用部中断实现，当按下门铃时，门铃发出响声，直到释放。 3 实验设计方案及论证 3.1 方案一

图3-1 原理图 电路原理： 由VT1、VT2及相关元件组成多谐振荡器，用以控制两种音调转换，由VT3、VT4等组成音频振荡器，当VT2导通时，相当于R1与R2并联，这时产生一种音调，当VT2截止时，只有R1参与音频振荡器工作，因此产生的是另外一种声音,电路中的R1、R2和C5的值决定了音调的高低当按下门铃开关后，门铃便会交替产生二种不同音调的声音。 3.2 方案二

电路四输入与非门设计 - 副本

四输入与非门课程设计任务书 学生姓名：专业班级： 指导教师：工作单位： 题目: CMOS四输入与非门电路设计 初始条件： 计算机、ORCAD软件、L-EDIT软件 要求完成的主要任务:（包括课程设计工作量及其技术要求，以及说明书撰写等具体要求） 1、课程设计工作量：2周 2、技术要求： （1）学习ORCAD软件、L-EDIT软件。 （2）设计一个CMOS四输入与非门电路。 （3）利用ORCAD软件、L-EDIT软件对该电路进行系统设计、电路设计和版图设计，并进行相应的设计、模拟和仿真工作。 3、查阅至少5篇参考文献。按《武汉理工大学课程设计工作规范》要求撰写设计报告书。全文用A4纸打印，图纸应符合绘图规范。 时间安排： 2013.11.22布置课程设计任务、选题；讲解课程设计具体实施计划与课程设计报告格式的要求；课程设计答疑事项。 2013.11.25-11.27学习ORCAD软件、L-EDIT软件，查阅相关资料，复习所设计内容的基本理论知识。 2013.11.28-12.5对CMOS四输入与非门电路进行设计仿真工作，完成课设报告的撰写。 2013.12.6 提交课程设计报告，进行答辩。 指导教师签名：年月日 系主任（或责任教师）签名：年月日

摘要........................................................................ I Abstract ................................................................... II 1 绪论 (1) 2 设计内容及要求 (2) 2.1 设计的目的及主要任务 (2) 2.2 设计思想 (2) 3软件介绍 (3) 3.1 OrCAD简介 (3) 3.2 L-Edit简介 (4) 4 COMS四输入与非门电路介绍 (5) 4.1 COMS四输入与非门电路组成 (5) 4.2 四输入与非门电路真值表 (6) 5 Cadence中四输入与非门电路的设计 (7) 5.1 四输入与非门电路原理图的绘制 (7) 5.2 四输入与非门电路的仿真 (8) 6 L-EDIT中四输入与非门电路版图的设计 (10) 6.1 版图设计的基本知识 (10) 6.2 基本MOS单元的绘制 (11) 6.3 COMS四输入与非门的版图设计 (13) 7课程设计总结 (14) 参考文献 (15)

1.2基本门电路设计-版图绘制

集成电路设计实习Integrated Circuits Design Labs I t t d Ci it D i L b 单元实验一（第二次课） 基本门电路设计－－版图设计 2006-2007 Institute of Microelectronics Peking University

实验目的及时间安排 z内容一： z掌握基本门电路的版图设计 z熟悉Cadence版图设计、版图验证工具的使用 z内容二： z完成2与非门的设计，包括原理图输入、电路仿真、版图设计、版图 验证 Institute of Microelectronics, Peking University集成电路设计实习－单元实验一Page2

1. 版图图层 z本课程中使用CSMC双硅三铝混合信号工艺，主要的设计层包括 z TB：tub，n阱，作为pmos器件衬底 z TO：Thin Oxide，有源区，作为mos的源漏区 Thin Oxide z GT：gate，多晶硅1，作为mos栅极 z SP：P＋注入区 z SN：N＋注入区 z W1：接触孔，金属1到多晶硅和有源区的接触孔 z A1：铝1，第一层金属 z W2：通孔1，金属1和金属2的接触孔 z A2：铝2，第二层金属 z W3：通孔2，金属2和金属3的接触孔 z CP：bond pad，pad开孔 z IM：第二层多晶硅电阻阻挡层 z PC：poly Cap，用作多晶硅电容上极板和多晶硅电阻的第二层多晶硅 l C z PT：p tub，p阱，作为nmos器件衬底 z详细的工艺信息请参考设计规则（在CSMC05MS/docs目录下） Institute of Microelectronics, Peking University集成电路设计实习－单元实验一Page3

模电课程设计 简易门铃

郑州科技学院 《模拟电子技术》课程设计 题目简易门铃 学生姓名孙梦蔚 专业班级11级电科一班 学号201131002 院（系）电气工程学院 指导教师李月英 完成时间 2013年5月16日

目录 1 课程设计的目的 (1) 2 课程设计的任务与要求 (1) 3 实验设计方案及论证 (1) 3.1方案一 (1) 3.2方案二 (2) 3.3两种方案的比较 (3) 4 设计原理及功能说明 (4) 5硬件的制作与调试 (6) 6 总结 (12) 参考文献 (13) 附录1：总体电路原理图 (14) 附录2：元器件清单 (15)

1 课程设计的目的 ?通过该项目的学习，学生应当能够读懂项目任务书，看懂任务书中的电路原理图，分析电路工作原理，根据项目实训评价明确制考核要求和评分标准。 ?能熟练运用万用表检测各元器件的质量。 ?能熟练使用各焊接工具按照电路原理较长和工艺要求完成电路的连接。 ?熟练运用电子测量工具完成电路的调试和故障的排除。 ?具备一定的团队合作开发能力。 2 课程设计的任务与要求 ?设计一个门铃电路，两端接6v的电压，设置一个按钮开关，当按下开关时发出门铃在任听觉范围内的“铃”声，松开开关，则声音消失。 ?其中先设计出电路图，再通过电路图演示软件演示出其可用性，最后进行实际操作进行电路元件的选择与焊接。 ?要求用内部中断实现，当按下门铃时，门铃发出响声，直到释放。 3 实验设计方案及论证 3.1 方案一

图3-1 原理图 电路原理： 由VT1、VT2及相关元件组成多谐振荡器，用以控制两种音调转换，由VT3、VT4等组成音频振荡器，当VT2导通时，相当于R1与R2并联，这时产生一种音调，当VT2截止时，只有R1参与音频振荡器工作，因此产生的是另外一种声音,电路中的R1、R2和C5的值决定了音调的高低当按下门铃开关后，门铃便会交替产生二种不同音调的声音。 3.2 方案二

简单电路设计设计大全

简单电路设计设计大全 1．保密室有两道门，只有当两道门都关上时（关上一道门相当于闭合一个开关），值班室内的指示灯才会发光，表明门都关上了．下图中符合要求的电路是 ．小轿车上大都装有一个指示灯，用它来提醒司机或乘客车门是否关好。四个车门中只要2，该指示灯就会发光。下图为小明同学设计有一个车门没关好（相当于一个开关断开）的模拟电路图，你认为最符合要求的是 ．中考试卷库大门控制电路的两把钥匙分别有两名工作人员保管，单把钥匙无法打开，如3 图所示电路中符合要求的是

”表示）击中乙方的导电服时，电路导通，4.击剑比赛中，当甲方运动员的剑（图中用“S甲 乙方指示灯亮。下面能反映这种原理的电路是 ．家用电吹风由电动机和电热丝等组成，为了保证电吹风的安全使用，要求：电动机不工5作时，电热丝不能发热；电热丝发热和不发热时，电动机都能正常工作。如图所示电路中符( ) 合要求的是 S和车内司机右上方的开关、S6.一辆卡车驾驶室内的灯泡，由左右两道门上的开关S3l2闭合，门关上后，和SS共同控制。和S分别由左右两道门的开、关来控制：门打开后，S2211是一个单刀三掷开关，根据需要可将其置于三个不同位置。在一个电路中，S断开。S和S3l2无论门开还是关，灯都不亮；(1)要求在三个开关的共同控制下，分别具有如下三个功能：无论(3)(2)打开两道门中的任意一道或两道都打开时，灯就亮，两道门都关上时，灯不亮；门开还是关，灯都亮。如图所示的四幅图中，符合上述要求的电路是 图丁 C.图丙 D. B. A.图甲图乙,为了保证灯泡不被烧坏,发光时必须用风扇给予降温。．7教室里投影仪的光源是强光灯泡所示的灯泡不能发光。则在如图3带动风扇的电动机启动后要求:,灯泡才能发光;风扇不转, ( )

电路设计与仿真(胡耀华)

《电路设计与仿真》课程教学大纲 二、课程简介 本课程是电子信息工程专业的学科基础课，它将电工原理、模拟电路、数字电路等课程的基础知识与实际的电路板制作有机结合起来，培养学生使用计算机辅助设计工具软件绘制各种电路原理图、制作印刷电路板、进行电路优化、对数字或模拟电路进行仿真的能力，从而搭建起各种电路理论知识与实际电路板制作之间的一座桥梁，为后续的各种相关课程和工程实践中设计电子产品打下基础。 三、课程目标 本课程着重培养学生使用计算机辅助设计工具软件绘制各种电路原理图、制作印刷电路板、进行电路优化、对数字或模拟电路进行仿真的能力。 1、知识与技能目标： 通过本课程的学习，培养学生熟练绘制和阅读各种基本电路的原理图、应用计算机进行电路辅助设计的初步能力，应用电路图形进行工程表达和交流的基本能力； 熟悉原理图基本环境设置； 掌握一般原理图和层次原理图的绘制； 对原理图进行电气规则检查并排除错误、生成网表、报表等； 学会自行设计原理图库原件； 熟悉PCB基本知识、编辑器环境设置； 熟练绘制PCB板，包括手动和自动布局布线，各种规则设置； 学会自行设计PCB封装。 2．过程与方法目标： 在机房边讲解边练习，针对设计出现的典型问题进行归纳和总结，逐步培养学生严谨、科学的学习态度； 3．情感、态度与价值观发展目标： 通过本课程的学习，培养学生认真、严谨、求实、敬业的工作和学习态度。

四、与前后课程的联系 先修课程: 对电路分析基础、模拟电路、数字电路，计算机基础有基本了解。 后续课程：本课程是各种涉及电路设计的课程的基础课程，如单片机与接口技术、智能玩具设计、计算机控制技术、嵌入式系统等。 五、教材选用与参考书 1、选用教材：Protel99SE电路原理图与PCB设计及仿真，清源科技编，机械工业出版社，2011 2、推荐参考书： 电子设计与仿真技术，李忠波,袁宏等著，机械工业出版社，2004； Protel99 SE原理图与PCB设计，零点工作室编，电子工业出版社，2007； 电路设计与制版PROTEL99高级应用，赵晶编，人民邮电出版社，2007。六、课程进度表

集成电路与非门的设计与仿真

CMOS与非门的设计与仿真 姓名：王小焙学号：20121060108 专业：通信工程 摘要：本文利用LT—SPICE电路仿真软件对与非门的电路进行了设计，并通过仿真得出相关结果，了解了与非门所实现的功能，同时用LASI进行了版图设计，了解到了CMOS与非门的设计工艺及流程，通过DRC检查，发现了问题，在老师的帮助下及时解决，设计获得成功。 关键词：CMOS与非门LT—SPICE LASI版图设计 1 引言 CMOS与非门是集成电路设计中常用且简易的元器件，在本次设计中着重为了体会LTSPICE软件的电路仿真功能，通过设计了解到其强大的电路分析作用，其次，运用LASI软件进行了版图设计，通过使用，可以对集成电路中相关元器件的制造方法有一定的了解。 2CMOS与非门电路的设计 电路的设计过程并不复杂，打开LT软件，新建文件后，可以再在工具栏中类似于与门的标签中找到我们需要的PMOS,NMOS,VDD等等，如图1.1，可以看到电路的结构比较简单，上拉管由两个并联的PMOS构成，下拉管则是由两个串联 的NMOS组成。 图1.1

此处，我们需要注意的是对元器件参数的设置，对于NMOS,PMOS,设置其L=W=0.18um ，M1，M3的栅极相连接输入A ，M2，M4的栅极相连接输入B ，在仿真之前，再对Simulate 中的分析类型进行选择，首先进行输入，输出的脉冲波形进行仿真，选择Transient ，stop time 设置为10s ，得到仿真结果如图1.2. 图1.2 如图所示，绿色线条代表了A 端的输入，蓝线端代表了B 端的输出，红线代表了输出F ，我们不难发现从仿真得到的波形，成功实现了B A F * 。 3 CMOS 与非门的版图设计 CMOS 与非门的版图设计需要用到LASI 软件，过程相对较繁杂，接下来我就 仿真过程作详细分析，由于不同的物质需要用不同的颜色，填充，线条来表示，所以首先点击LASI 右边工具栏的Attr 进行设置，设置方案如下： 颜色 填充 线条 功能 CONT A 13 0 连接孔 NWEL W 0 3 N 阱 ACTV G 3 有源区

51单片机的简单计算器设计与仿真

基于单片机的简易计算器设计与仿真

设计题目：基于单片机的简易计算器设计与仿真 一、设计实验条件： 地点：自动化系实验室 实验设备：PC机（装有Keil；Protues；Word ；Visio ） 二、设计任务： 本系统选用AT89C51单片机为主控机。通过扩展必要的外围接口电路，实现对计算器的设计，具体设计如下： （1）由于设计的计算器要进行四则运算，为了得到较好的显示效果，经综合分析后，最后采用LCD 显示数据和结果。 （2）采用键盘输入方式，键盘包括数字键（0～9）、符号键（+、-、×、÷）、清除键(on\c)和等号键（=），故只需要16 个按键即可，设计中采用集成的计算键盘。 （3）在执行过程中，开机显示零，等待键入数值，当键入数字，通过LCD显示出来，当键入+、-、*、/运算符，计算器在内部执行数值转换和存储，并等待再次键入数值，当再键入数值后将显示键入的数值，按等号就会在LCD上输出运算结果。 （4）错误提示：当计算器执行过程中有错误时，会在LCD上显示相应的提示,如：当输入的数值或计算得到的结果大于计算器的表示范围时，计算器会在LCD上提示overflow；当除数为0时，计算器会在LCD上提示error。 设计要求：分别对键盘输入检测模块；LCD显示模块；算术运算模块；错误处理及提示模块进行设计，并用Visio画系统方框图，keil与protues仿真 分析其设计结果。 三、设计时间与设计时间安排：

1、设计时间：6月27日～7月8日 2、设计时间安排： 熟悉课题、收集资料： 3天（6月27日～ 6月29日) 具体设计（含上机实验）： 6天（6月30日～ 7月5日) 编写课程设计说明书： 2天（7月6日～ 7月7日) 答辩： 1天（7月8日） 四、设计说明书的内容： 1、前言：(自己写，组员之间不能相同，写完后将红字删除，排版时注意对齐） 本设计是基于51系列单片机来进行的数字计算器系统设计，可以完成计算器的键盘输入，进行加、减、乘、除基本四则运算，并在LCD上显示相应的结果；设计电路采用AT89C51单片机为主要控制电路，利用MM74C922作为计算器4*4键盘的扫描IC读取键盘上的输入；显示采用字符LCD静态显示；软件方面使用C语言编程，并用PROTUES仿真。 2、设计题目与设计任务： 现实生活中人们熟知的计算器，其功能主要如下：（1）键盘输入；（2）数值显示；（3）加、减、乘、除四则运算；(4)对错误的控制及提示。 针对上述功能，计算器软件程序要完成以下模块的设计：(1)键盘输入检测模块；（2）LCD显示模块；（3）算术运算模块；（4）错误处理及提示模块。3、主体设计部分： （1）、系统模块图：

三输入与门集成电路设计样本

院 课程设计 三输入与门设计 学生姓名： 学院： 专业班级： 专业课程：集成电路设计基本指引教师： 年月日

目录 一、概述.......................................................... 错误!未定义书签。 二、设计规定.................................................. 错误!未定义书签。 三、设计原理.................................................. 错误!未定义书签。 四、设计思路.................................................. 错误!未定义书签。 4.1非门电路............................................ 错误!未定义书签。 4.2三输入与非门电路........................... 错误!未定义书签。 五、三输入与门电路设计.............................. 错误!未定义书签。 5.1原理图设计....................................... 错误!未定义书签。 5.2仿真分析........................................... 错误!未定义书签。 六、版图设计.................................................. 错误!未定义书签。 6.1 PMOS管版图设计............................. 错误!未定义书签。 6.2 NMOS管版图设计............................. 错误!未定义书签。 6.3与门版图设计................................... 错误!未定义书签。 七、LVS比对................................................... 错误!未定义书签。 八、心得体会.................................................. 错误!未定义书签。参照文献.......................................................... 错误!未定义书签。

《电子电路设计与仿真》课程小结.

《电子电路设计与仿真》课程小结设计,给人以创作的冲动。在画家眼里,设计是一幅清明上河图;在建筑师眼中,设计是昔日鎏金般的圆明园;而在电子工程师的心中,设计是贝尔实验室中的电话机。凡此种种,但凡涉及设计都是一件良好的事情,因为她能给人以美的幻想,给人以成就之感,给人以成长及成长所需的营养。 时光飞逝,为期6周的《电子电路设计与仿真》这一门选修课也到了要结课的时候。6个星期,12节课,说长不长,说短也不短,近两个月的学习,从中我有了很大收获,得到了许多知识。 电子电路设计与仿真技术,顾名思义,就是利用各种计算机软件,比如EWB、NIMultisim等等来对实现某一特定功能的电路在计算机上进行设计与模拟实验的技术。 EWB仿真软件是Mltisim系列仿真软件的前身,也是我们电子电路设计与仿真这一课程使用的主要仿真设计软件。在EWB工作平台上可建立各种电路进行仿真实验,其元器件库可提供万余种常用元器件,具有高度集成、界面直观、操作方便等特点,同时还具有多种电路分析手段和各类虚拟测量仪表。 相比于实际实验操作设计电路,电子电路设计与仿真技术有着前者不具备的各种优点。首先,使用仿真软件时,仪器的控制面板和相关操作均与实物相似,并且可以实时显示相关的测量数据;其次,仿真软件带有丰富的电路元器件库,并能提供多种电路分析方法;再有,作为设计工具,能与其他流行的电路分析、设计、仿真软件交换数据,更简单方便,且不易出现错误;最后,仿真软件还是一种优秀的电子技术训练工具,利用他提供的各种虚拟仪表,可以更加方便灵活地进行电路实验,仿真电路的实际运行情况,并加以修正。 当然,由于设计软件的种类繁多,各种软件的使用方法千差万别,故而使用不同的软件设计电路所要的操作也不尽相同,但总体上来讲,对于要设计一个实际电子电路的基本步骤主要为以下几点:一、根据相关电子电路的设计要求,进行总体上的方案选择,选择的方案不同,其接下来的相关步骤也是不尽相同的;

电路仿真与设计报告

一、考试目的 通过对实际题目在特定时间内完成的方式，检测我们学生对PSPice与protel 99E两种软件的掌握情况，配合报告情况对完成结果形成自己的理解。 二、考试软件简介 （参考课本P1）orcad/PSPice 9为美国orcad公司和开发PSPice 软件的microsim公司与1998年联合推出的版本，可对模拟电路、数字电路、数模混合电路等进行直流、交流、瞬态等基本电路性能的分析，并且可进行蒙特卡罗（Monte Carlo）统计分析，最坏情况（worst editor）分析、优化设计等复杂电路特性分析。 （参考课本P73）protel 99SE软件是绘制电路原理图、制作印制电路板图方面的一款流行软件，最主要模块有原理图设计系统（schematic）和印制电路板设计系统（PCB）。原理图设计系统主要用于电路原理图设计，包括原理图编辑器sch和元件库编辑器schlib。印制电路 板设计系 统主要用 于印制电 路板的设 计，包括印 制电路板 编辑器PCB和封装库编辑器pcblib。

三、过程 1、Orcad 首先进行原理图的绘制，本图主要用到了电阻R、电容C、一个放大器，电源为V AC交流电源，所有元件均可通过Place Part/Part Search直接搜索得到。 本题难点为对参数的设置。双击R1，将Value值改为{R}。然后 放置PARAM（直接搜索PARAM）元件至图上任意位置，双击PARAM 元件，在弹出对话框中单击“New…”按钮添加R，值为试卷上的值91k，Part Reference值为默认值，Reference值为默认值，更改Value 为PARAM。 然后新建参数文件（New Simulation）为任意名称，更改参数文

基于单片机的简单计算器设计与仿真

东北大学秦皇岛分校自动化工程系自动控制系统课程设计 基于单片机的简易计算器设计与仿真 专业名称自动化 班级学号5080512 学生姓名张爽 指导教师王宏伟 设计时间2011.6.27~2010.7.8

东北大学秦皇岛分校自动化工程系 《自动控制系统》课程设计任务书专业：自动化班级：50805 姓名：张爽 设计题目：基于单片机的简易计算器设计与仿真 一、设计实验条件： 地点：自动化系实验室 实验设备：PC机（装有Keil；Protues；Word ；Visio ） 二、设计任务： 本系统选用AT89C51单片机为主控机。通过扩展必要的外围接口电路，实现对计算器的设计，具体设计如下： （1）由于设计的计算器要进行四则运算，为了得到较好的显示效果，经综合分析后，最后采用LCD 显示数据和结果。 （2）采用键盘输入方式，键盘包括数字键（0～9）、符号键（+、-、×、÷）、清除键(on\c)和等号键（=），故只需要16 个按键即可，设计中采用集成的计算键盘。 （3）在执行过程中，开机显示零，等待键入数值，当键入数字，通过LCD显示出来，当键入+、-、*、/运算符，计算器在内部执行数值转换和存储，并等待再次键入数值，当再键入数值后将显示键入的数值，按等号就会在LCD上输出运算结果。 （4）错误提示：当计算器执行过程中有错误时，会在LCD上显示相应的提示,如：当输入的数值或计算得到的结果大于计算器的表示范围时，计算器会在LCD上提示overflow；当除数为0时，计算器会在LCD上提示error。 设计要求：分别对键盘输入检测模块；LCD显示模块；算术运算模块；错误处理及提示模块进行设计，并用Visio画系统方框图，keil与protues仿真 分析其设计结果。

简单门电路设计与仿真

实验一 简单门电路设计与仿真 一、实验目的 1、熟悉Quartus II 软件的使用方法 2、通过实验掌握组合逻辑电路的EDA 原理图输入设计法，通过电路的仿真和硬件验证，学会对实验板上的FPGA/CPLD 进行编程下载，进一步了解门电路的功能。 二、实验仪器设备 1、PC 机一台 2、GW48-PK2++型EDA 实验开发系统一套 三、实验原理 在多路数据传送过程中，能够根据需要将其中任意一路挑选出来的电路，叫做数据选择器，也称为多路选择器或多路开关。 1、输入、输出信号分析 输入信号：4路数据，用D 0、D 1、D 2、D 3表示；两个选择控制信号，用S 1、S 0表示。 输出信号：用Y 表示，它可以是4路输入数据中的任意一路，究意是哪一路完全由选择控制信号决定。 示意框图如图1-1所示。 2、真值表 表1-1 4选1数据选择器的真值表 输入数据 图1-1 4选1数据选择器示意框图

3、逻辑表达式 013012011010S S D S S D S S D S S D Y +++= 四、实验内容 1、编辑4选1数据选择器的原理图 打开QuartusII9.0软件，点击FILE->NEW->Block Diagram/Schematic File ，从元件库中调出4选1数据选择器设计所需要的元件，包括4个三输入端与非门NAND3、1个四输入端与非门NAND4和2个非门NOT 。按照图1-2所示的 原理电路，完成4选1数据选择器原理图输入设计。 图1-2所示的原理电路 图1-2中，D3、D2、D1和D0是数据输入端，S1和S0是控制输入端，Y 是数据输出端。

基本门电路和数值比较器的设计

苏州大学 《电子信息科学与技术》课程设计报告 智力竞赛抢答答器 种子和大树相遇 学院————————专业————————班级XXXXXXX 学号XXXXXXXX 学生姓名种子和大树相遇指导教师XXX 课程成绩完成日期20xx年x月xx日

课程设计任务书XXX学院XX专业

课程设计成绩评定 学院XXXXXXXXXXX 专业XX 班级 XX学号 XX 学生姓名 XXX 指导教师 XXX 课程成绩完成日期 2008.1.18 指导教师对学生在课程设计中的评价 指导教师对课程设计的评定意见

基本门电路 和数值比较器的设计 学生姓名：XXX 指导老师：XXX 摘要系统采用EDA技术设计基本门电路和数值比较器中的两个部分，基本门电路模块中包含与门、或门、异或门等6个基本电路。数值比较器模块用来实现两个数值比较，结果用特定的二进制编码来表示。系统采用硬件描述语言VHDL把电路按模块化方式进行设计，然后进行编程、时序仿真等。各个模块的结构简单，使用方便，具有一定的应用价值。 关键字门电路；EDA；VHDL；数值比较

目录 1 引言 (1) 1.1 设计的目的 (1) 1.2 设计的基本内容 (1) 2 EDA、VHDL简介 (1) 2.1 EDA技术 (1) 2.2 硬件描述语言——VHDL (2) 3 设计规划过程 (4) 3.1基本门电路工作原理 (4) 3.2数值比较器的工作原理 (4) 3.3课程设计中各个模块的设计 (5) 结束语 (8) 参考文献 (10) 附录 (11)

1 引言 20世纪60年代初，美国德克萨斯仪器公司TI（Texas Instruments）将各种基本逻辑电路以及连线制作在一片体积很小的硅片上，经过封装后提供给用户使用，这就是集成电路。从先前的采用半导体技术实现的计算机到现在广泛应用的采用高集成度芯片实现的计算机。基本门电路和数值比较器作为计算机原理中的一个元件，因而成为深入研究和了解基本逻辑电路的基石。本设计主要介绍的是一个基于超高速硬件描述语言VHDL 对基本门电路和数值比较器电路进行编程实现。 1.1 设计的目的 本次设计的目的就是在掌握EDA实验开发系统的初步使用基础上，深入了解计算机组成的一些基本原理。并以计算机组成原理为指导，掌握计算机基本门电路和数值比较器电路的设计方法和思想。通过学习的VHDL语言结合所学的计算机组成原理知识，理论联系实际，提高IC设计能力，提高分析、解决计算机技术实际问题的独立工作能力。 1.2 设计的基本内容 利用VHDL设计基本门电路和数值比较电路模块，并使用EDA 工具对各模块进行仿真验证。基本门电路模块中包含与门、或门、异或门等6个基本电路。数值比较器模块用来实现两个数值比较，结果用特定的二进制编码来表示。 2 EDA、VHDL简介 2.1 EDA技术 EDA是电子设计自动化（Electronic Design Automation）的缩写，在20世纪90年代初从计算机辅助设计（CAD）、计算机辅助制造（CAM）、计算机辅助测试（CAT）和计算机辅助工程（CAE）的概念发展而来的。EDA技术就是以计算机为工具，设计者在EDA软件平台上，用硬件描述语言HDL完成设计文件，然后由计算机自动地完成逻辑编译、化简、分割、综合、优化、布局、布线和仿真，直至对于特定目标芯片的适配编译、逻辑映射和编程下载等工作。EDA技术的出现，极大地提高了电路设计的效