San Jose, Ca. – Atmel Corp. has just introduced a “plug-and-play” CryptoAuthentication host-side IC that allows designers to implement authentication-ready embedded systems, without any knowledge of security protocols or algorithms and without writing any special cryptographic software.
When used with Atmel's AT88SA family of CryptoAuthentication ICs and a system microprocessor such as Atmel's AVR or ARM, the AT88SA10HS provides a complete, virtually uncrackable authentication system for electronic end-product consumables that include ink cartridges, battery packs, blood bags, breathing tubes, and others. They can also be used to protect end-products from bogus firmware updates and validate software or media modules.
The AT88SA10HS host device off-loads key storage and the execution of authentication algorithms from the system MCU, making it ideal in applications with limited microprocessor and/or memory resources, or when reduced system cost and/or complexity is desired.
Until now, the host-side of the authentication process has been implemented in code executed by the system microcontroller. This code could be vulnerable to modification or copying when stored in an external unprotected flash memory device.
The device includes secret key storage in a special purpose highly secure hardware device and is designed as a single-chip authentication host with a 48-bit guaranteed unique serial number, SHA-256 engine, and a 256-bit host key that is inaccessible and unreadable.
The AT88SA10HS host device executes all host-side operations including challenge/response (authentication) validation and firmware integrity verification.
Atmel's AT88SA1xxS devices incorporate a SHA-256 engine and 256-bit cryptographic key, the length of which allows more possible combinations than there are atoms in the sun, making it impossible to crack using brute force methods. In contrast, the nearest competing authentication IC has a key size of only half the bits.
The AT88SA10HS includes 63 one-time, user-programmable fuses that are used to store a secret personalization value and 23 fuses that can be used for status or model number information. Once burned, there is no way to reset the value of a fuse. Additional non-burnable fuses contain the manufacturing ID and a guaranteed unique 48-bit serial number, initialized by Atmel.
Authentication. Authentication is based on a “challenge/response” protocol which uses the microprocessor host to establish communication and provide a challenge to the CryptoAuthentication on the client.
The response is used to determine if the client is authentic at which point the microcontroller can decide how to utilize the client or provide a failure indication to the user. The host could be a portable power tool, printer, medical test equipment, or any device with replaceable, consumable or updateable components. The corresponding client could be the battery used in the power tool, an ink cartridge, or a medical consumable.
Each AT88SA10HS host device has a unique serial number, a 256-bit key permanently stored inside the chip and an additional 63-bit secret stored in a fuse array. At the beginning of a transaction (e.g. unlocking a door or installing an ink cartridge), the host microprocessor retrieves the serial number from the AT88SA1xxS chip on the client.
The serial number is then sent to the AT88SA10HS host chip, which performs a SHA-256 hash based on its 256-bit host key, the client's serial number, and a random number generated by the system microcontroller. The host also sends the random number to the client as a “challenge”.
The AT88SA1xxS client then performs the same SHA-256 hash, based on the random number sent by the host, the client's serial number and the client's 256-bit key. The resulting digest, or “response”, is sent back to the AT88SA10HS via the host microprocessor which compares this response with the SHA-256 digest from its earlier calculation and makes a determination whether or not the client is authentic.
In the case of an ink cartridge or medical consumable, the system AVR or ARM microcontroller in the printer or medical device can prevent system operation if the “client” is not authentic, and allow system operation for authentic clients. The output digest of the SHA-256 calculation is so sensitive to the original information that changing even a single bit will result in a completely different value.
When the host microprocessor generates a new random number challenge for each transaction, intercepting the challenge/response pair that is sent back and forth over the bus is useless because a new response, based on a different random number, is generated for every transaction.
Client-products using CryptoAuthentication devices can be configured with a single key for an entire product line or with unique keys for each unit. Since the key is unreadable and is never transmitted, it is always secure in the AT88SA10HS host and AT88SA1xxS CryptoAuthentication client ICs.
Verifying software. Verifying that software or other documents (modules) have not been tampered with or modified is a very important function that can be done using the CryptoAuthentication Host device.
The system's microcontroller executes a hash on the contents of the module using a software SHA engine and sends the resulting digest to the CryptoAuthentication host device along with the stored 'signature' (hash) of the module.
The CryptoAuthentication host device then calculates the expected signature for the module based on the input hash digest and its securely stored key. The integrity of the module is assured if the computation result matches the signature stored along with the module.
Physical Protection of Keys. The host-side cryptoAuthentication IC incorporates a number of physical security features designed to protect the keys. These include an active shield over the entire surface of the part, internal memory encryption, internal clock generation, glitch protection, voltage tamper detection and other physical design features.
Pre-programmed keys stored on the AT88SA10HS are encrypted in such a way as to make retrieval of their values via outside analysis virtually impossible. Both the clock and logic supply voltage are internally generated, preventing any direct attack via the pins on these two signals.
Ultra-low Power Consumption. Authentication ICs spend about 1/1000 of a percent of their time active, so sleep mode power consumption is the most important power consumption metric.
With a sleep mode power consumption of less than 100 nanoamps (nA), Atmel's AT88SA10HS CryptoAuthentication host IC has virtually no effect on system battery life. The normal leakage current of the battery is substantially greater. Supply voltage for the AT88SA is 2.5V to 5.5V
Atmel provides fully validated source code for its AVR and ARM-based SAM microcontrollers, free of charge. The code may be ported to other processors if desired. The host authentication chip requires only a single GPIO pin on the host processor, which can be shared by both the client and host CryptoAuthentication devices.
The AT88SA10H host device requires only three wires to connect to a client-consumable, plus a standard bypass capacitor for a low overall BOM impact. Code libraries for the AT88SA10HS are available free of charge from Atmel.
The AT88SA10HS Host CrytpoAuthentication IC is available now in production quantities in a 3mm2, green-compliant (exceeds RoHS) 3-pin SOT-23 package. It is priced at $0.72 in quantities of 1K units.
To learn more, go to www.atmel.com.