Physically securing critical data with non-imprinting memory and hardware AES
Editor’s Note: In this Product How-To article, Maxim Integrated’s Swati Joshi reviews some of the problems securing electronic devices against attack and describes how the company’s MAX36025 tamper-reactive cryptographic-node controller deals with such issues.
Security requirements are rapidly increasing across all end equipment categories. This trend, combined with the risk of software viruses, has resulted in an increase of hardware-security implementations. Designers thus face many challenges in designing secure systems, including how to securely encrypt and decrypt data, protect encryption keys, and prevent physical tampering. The MAX36025 tamper-reactive cryptographic-node controller has been designed to effectively deal with all these vulnerabilities.
The MAX36025 encrypts and decrypts data in two hardware Advanced Encryption Standard (AES) engines. The MAX36025’sAES engines can operate in many scenarios to encrypt, decrypt, or both encrypt and decrypt critical data at a throughput rate of 9Mbps. The AES engines are accessed via the two separate bidirectional SPI interfaces. Additionally, the serial flash interface can be used to store large amounts of encrypted data into an external serial flash. This allows users to store data securely in a standard serial flash.
Click on image to enlarge.
Figure 1 shows a scenario where only one AES engine is used to encrypt plain text data. The bidirectional SPI interface, which has a throughput of 9Mbps, manages incoming data via a FIFO. Encryption is accomplished using a key, which is securely stored in the non-imprinting memory of the MAX36025. This scenario can be used in applications where security and AES encryption are add-on features to support an existing standard (off-the-shelf) system processor.
Click on image to enlarge.
Figure 2 shows a scenario where both AES engines are used to encrypt plain text data that is received via one of the two bidirectional SPI interfaces. Data is first encrypted in Engine A using Key A, which is securely stored in the nonimprinting memory of the MAX36025. The newly encrypted data is then encrypted again as it passes through Engine B, using Key B, which is also securely stored in the non-imprinting memory of the MAX36025. Once the data has been encrypted by Engine B, it exits the MAX36025 via the second SPI interface to the network. While this scenario shows data being sent from Engine A to Engine B, it can occur in the opposite direction (i.e., from Engine B to Engine A), as this chip is fully orthagonal. The user merely needs to set up the data routing after the authentication has been established. This scenario can be used in applications where security and AES encryption are add-on features to support an existing standard (off-the-shelf) system processor and double encryption is required for added security.
Click on image to enlarge.
Figure 3 shows a scenario where one of the AES engines is used to encrypt large amounts of plain text data, which enters the MAX36025 via SPI Interface A. Once encrypted in AES Engine A, using Key A, the data then exits the MAX36025 via the serial flash interface, where it is stored in a standard serial flash (provided by the end user). This scenario is equally plausible using SPI interface B and AES Engine B. This scenario can be used in applications where large amounts of data (like code) require encryption and will be stored in an external serial flash. As in the above scenarios, the MAX36025 can be used to add security and AES encryption features to support an existing standard (off-the-shelf) system processor.
The MAX36025 stores encryption keys in 1 KByte of flash using a patented non-imprinting memory. (See "How the MAX36025 solves the memory imprinting problem" below.)
The MAX36025 also has an authentication gateway to first authenticate any processor that tries to communicate with it by sending a challenge response.
The authentication process takes place via an encrypted I2C interface when two known keys are successfully exchanged between the microprocessor and the device. The keys are loaded in the MAX36025 in a secure location. If authentication is not successful, the device will not allow access to the internal secure memory. Once authentication is successful, the encryption keys can be loaded in the non-imprinting secure memory. Additionally, access is given to set up the tamper parameters, as well as data routing through the two AES engines.
Even the most sophisticated field-programmable gate arrays (FPGAs), smart cards, and other security-sensitive components are vulnerable physical tampering. This situation requires that some active circuitry be maintained while the system is down to detect potential physical attacks that aim to extract critical information. To accomplish this, security devices must consume low power and interface with multiple sensors to detect threats. Security devices also need to create a secure boundary around the circuitry that contains sensitive content.
The MAX36025’s on-chip non-imprinting memory architecture incorporates a high-speed, direct-wired clearing function. The memory is constantly implemented in the background to prevent memory imprinting of data. The MAX36025 architecture allows the user to clear selective banks of the memory based on specified tamper events. In the event of a qualified tamper, the desired banks of memory are rapidly cleared and a negative bias can be applied to erase external memory.
The importance of non-imprinting memory
Many of the approaches currently used to ensure the physical protection of the data contained within a standard off-the-shelf (non-secure) MCU-based system include various mechanisms for the storage of cryptographic keys, algorithms, or identity information. It is a critical to protect the stored information from improper or unauthorized access.
Many of these devices can actively detect an impending attack (e.g., when an unauthorized user attempts to gain access to the information stored in the memory). In response to the detection of such an attack, it is imperative that all confidential and sensitive data stored in the memory must be quickly and reliably erased by the device itself. Unfortunately, the functionality necessary to achieve these goals can be costly and complex.
Many memory cell designs and technologies, such as conventional static random access memory (SRAM), share a common susceptibility to "data imprinting," which refers to the memory’s ability to support long-term storage of data. In the case of SRAM implementations, the mechanisms for this storage of data relate to stresses placed on the gate oxide of a memory cell transistor during operation.
These stresses arise as a result of the long-term presence of a constant bias voltage on the memory cell coupled with the cell’s configuration to store data of a certain logical value. This stress can lead to gate oxide charge accumulation, which over time can progress to such a degree that it influences the power-up state of the memory cell or leaves significant data remnants, which can be passively detected through advanced spectrographic analysis.
Thus the previously stored data can leave a permanent, detectable imprint through the stress-induced oxide charge accumulation. The logic state of the previously stored data can therefore be identified long after power has been removed from the memory, the data has been purposefully erased, or both.
Many active and passive methods are used for discovering the state of an imprinted memory cell. To the extent that the memory cell stored secret or sensitive information, the imprinting can defeat any security actions. This, of course, jeopardizes consumer trust in the device and can result in severe damages, which can threaten electronic banking systems, facilitate identity theft, defeat access control systems, or even cause more serious national security issues.
Presently, the problem of imprinting is addressed by having the host central processing unit (CPU) alter or move data such that confidential and sensitive information does not remain in a memory location long enough to imprint. However, designers sometimes choose not to implement this solution. This is not only due to cost constraints, but also because removing data in this way raise reliability issues (i.e., whether the correct state and location of the data can be accurately tracked) and the read/write operations require significant power consumption (unacceptable in power-sensitive devices). Additionally, attack windows, although narrow, are nonetheless present and can be exploited to gain access to data.
As discussed above, in response to a detected impending attack, actions are taken by the device to erase data stored in the memory. There are problems, however, with the methods by which data is erased. One commonly used technique removes power from the memory and pulls supply voltage to a negative potential. Another technique causes the (conventional non-secure) host CPU to wake up and sequentially write to each memory location (thus overwriting the previously stored data). Unfortunately, each of these techniques can be easily defeated.
In summary, two problems exist with conventional memory configurations. First, there are windows of time that allow data imprinting to take place. Second, the memories cannot be reliably and quickly erased. These issues could be nullified if the configuration could reliably and quickly erase the memory that stores sensitive information.
How the MAX36025 solves the memory imprinting problem
In the non-imprinting architecture of Maxim’s MAX36025 tamper-reactive cryptographic-node controller, each data bit location in the on-chip memory is designed with both a master and slave cell. The master stores first true/complement data, while the slave stores a copy of that data. A circuit associated with the slave cell responds to a first clock signal to copy the first true/complement data from the master cell into the slave cell with same state.
A circuit associated with the master cell responds to a second clock signal. At this point it copies a second set of true/complement data from the slave cell into the master cell. A read/write circuit supports true/complement data read and write operations with respect to the master cell in either the same or opposite polarity state. A state machine tracks the polarity state of the first true/complement data to control whether a same polarity or opposite polarity state read operation is performed by the read/write circuit.
Other MAX36025 Features
Two SPI interfaces and one generic serial flash interface provide secure, flexible communication to external system nodes. The MAX36025 can be programmed to route any of these interface inputs through one or both of the dual AES engines, and also to any of these interface outputs.
Device programming and configuration are performed through an I²C-compatible interface. The I²C interface can be secured using an integrated authentication protocol for an additional layer of system security elements as well as friend-or-foe (FoF) decisions. The MAX36025 can also encrypt I²C communications using a configurable AES key.
The MAX36025 includes a seconds counter, watchdog timer, CPU supervisor, nonvolatile (NV) SRAM controller, and on-chip temperature sensor. In the event of a primary power failure, an external battery source is automatically switched in to keep the memory, time, and tamper-detection circuitry active.
In addition, the MAX36025 provides low-leakage, tamper-detection inputs for interfacing to external sensors, interlocks, and anti-tamper meshes. The device also invokes a tamper event on absolute temperature if the temperature exceeds programmed limits or the crystal oscillator frequency falls outside of a specified window. The tamper event is latched and time-stamped for fault-recovery purposes.
Swati Joshi is presently the senior business manager for security management devices at Maxim Integrated . She has previously worked as an Assembly/Packaging Engineer with Dallas Semiconductor and Mitsubishi Semiconductor. She holds a B.S. in chemical engineering.