integratedwww.javlibrary.com

1SecureYourEmbeddedDevices1.
IntroductionHigh-techgoodscounterfeiting,multimediacontentcopying,andidentitytheftareallmajorconcernstoday.
TheprovencryptographicprotocolsimplementedinAtmel'stamper-resis-tantmicrocontrollersofferapowerfulturnkeysolutiontofightthesethreats.
ThispaperpresentsexamplesofefficientandcosteffectiveIPprotectionapplicationsutilizingsecurechipsinvariousembeddedsystems.
1.
1.
High-techGoodsCounterfeitingAccordingtothe2005report[KMPG05]byaccountingfirmKPMGInternational,fakehigh-techgoods(cellphones,computers,printercartridges,etc.
)accountforabout$100billioninsaleslosttocounterfeiterseachyear.
Thismeansthataround10percentofallhigh-techgoodssoldeachyearworldwidearefakes!
Therefore,10percentofallhigh-techsalesarelosttotheIntellectualProperty(IP)owners.
Besidesfinancialconsiderations,counterfeitingpresentsnoticeablecollateralrisksfortheconsumers–noguaranteethatfaultygoodswillbereplacedandfakegoodsmayeveninjurethecustomerduetoimpropertesting,poorqualityofconsumables,etc.
Counterfeitgoodscanalsoseverelydegradethepublicimageofcompaniesbydeterioratingcus-tomersatisfactionnottomentionthatfakeautomotiveoraeronauticsparespresentarealconcernforpublichealthandsafety.
Examplesofthecounterfeitingofhigh-techgoodsaregivenin[MERC].
Somerenownedcompanieshavebeentargetedbyinternationalcriminalorganizations,whichhavesoldthou-sandsofcounterfeit-brandedproductsinseveralcountries.
Generallyspeaking,famousbrand-nameproductsaremoreexposedtocounterfeitingbecausetheyareseenas"musthave"goodsandthereforeareeasiertosellonthecounter-feitmarket.
Manyaccessoriesandperipherals(formobilephones,personaldigitalassistants,portableMP3andvideoplayers)arethetargetofcriminalsthatuseincreasinglysophisticatedmanufacturingmeansandindustrialproductiontechniques.
Anyhigh-techproduct,whateverthemarket(massmarketeditemssuchasmusicplayersorevenindustrialequipment,machines,etc.
)isvulnerabletocounterfeiterswhoaimatSecureMicrocontrollersApplicationNoteRev.
6528A–17May062SecureYourEmbeddedDevices6528A–SMIC–17May06makingmoney,takingadvantageofthepublicimageoffamousbrandsbycloningequipment/partsandsellingsimilarproductsatamuchlowerprice.
Anotherstrategymayonlybecostreduction.
Somecompaniesmayprefercloningexpensiveequipment(e.
g.
networkequipment)theyhavealreadypurchasedfortheirownuse,thusstealingIP,ratherthanbuyingnewcertifiedproducts.
1.
2.
DigitalContentCopyIntellectualandartisticproperty(music,moviesandsoftware)piracyisalsoarealproblemfortheelectronicsindustry.
Evenifthefullcostofillegalmultimediacontentduplicationcannotbequanti-fied,theavailabilityofmultipleperfectcopiesofcopyrightedmaterialsisseenbymostofthemediaindustryasathreattoitsviabilityandprofitability.
Digitalmediapublishershavebusinessmodelsbasedaroundchargingafeeforeachcopyorperformanceofthemultimediaproduct.
Asaconse-quence,DigitalRightsManagement(DRM)wasdesignedasameanstoallowthemtocontrolanyduplicationanddisseminationofthecontent.
However,hackersareactivelytryingtocracktheDRMsystems.
ThefamousContentScramblingSystem(CSS)algorithmusedforDVDcopyprotectionwasrevealedthreeyearsafteritscreationtobeeasilysusceptibletoabruteforceattack(referto[WPD-DE]).
Manyotherrecentcopyprotec-tionsystemshavealreadyfailed.
Forexample,thehackeroftheCSSsystemhasalsohackedafamousmusicstoresystem,allowingtheremovalofthecopyprotectionfromthepurchasedmusicfiles(referto[CNN]).
Governmentsarenowbackingthefightagainstcounterfeiting.
AmongtheseinitiativesaretheUSStrategyTargetingOrganizedPiracy(STOP[USPTO]),theEuropeanAssociationfortheProtec-tionofEncryptedWorksandServices(AEPOC[AEPOC],andtheUKFoundationforArtandCreationTechnology(FACT[FACT]).
1.
3.
IdentityTheftAnotherburningissueistheidentitytheftofwebapplications.
Accordingto[JAV06],theamountlosttofraudoveraone-yearperiodforonlineapplications(banking,shopping,etc.
)isestimatedat$54.
4billionin2005intheU.
S.
alone.
Usercredentialsaremainlystolenthroughofflinemeans(stolenwallet,theftofpapermail,misap-propriationbyfriends).
Onlineattacksarerelativelyrare(11.
6%),butaccordingto[GAR05],phishing(1)attacksaregrowingexponentially.
Inreactiontothegrowingthreat,theUSFederalFinancialInstitutionExaminationCouncil(FFIEC)hasestablishedaguidancerulingforuseronlineauthenticationtobankingservices.
Asreportedin[FINE],USbankswillhavetocomplywiththeserulesbytheendof2006anddeploytwo-factorauthenticationsolutions(explainedbelow)wheneverneeded.
Microsoftalsobelievesthatpasswordsarenolongerreliableandwillenforcenewstrongauthen-ticationmeansinitsnewWindowsVISTAoperatingsystem.
Withstrongauthentication,eachpartyinvolvedinthetransactionprocesscanbeconfidentoftheotherparty'sidentity.
Thisenablestrustede-commerceandtransactions,securelogon,protectionagainstphishing,pharm-ing(2)andmore.
1.
Phishing:techniqueconsistinginstealingusercredentials(login/password)throughfakee-mails2.
Pharming:advancedtechniqueconsistingofthecreationoffakewebsites(e.
g.
banking)thatperfectlymimictherealones.
Usersareseamlesslydirectedtothesefakesites,andentertheirloginandpasswordthatarerecordedbyhackers!
SeamlessredirectioncanbeachievedthroughfalseURLs(thatsurprisinglylookliketherightone)sentbye-mail,orbyInternetDomainNameServershacking(DNScachepoisoning)thatwillerrone-ouslytranslategoodURLstothehackersIPaddress.
3SecureYourEmbeddedDevices6528A–SMIC–17May061.
4.
Atmel'sSecureMicrocontrollerFamilyThispaperwillshowhowtopreventthethreatsmentionedwiththeuseofAtmel'ssecuremicro-controllers.
Thehigh-levelexamplespresentedhereinonlyshowprinciplemethods.
Detailedreferenceswillbegivenforfulltechnicalexplanationsandimplementationrecommendations.
Moreover,thesolutionsexposedhereinmaybepatented.
TheproventechnologyusedinAtmelsecuremicrocontrollersisalreadywidespreadandusedinnationalID/healthcards,e-passports,bankcards(storinguserPersonalIdentificationNumber,accountnumbers,authenticationkeysamongothers),pay-TVaccesscontrolandcellphoneSIMcards(allowingthestorageofsubscribers'uniqueID,PINcode,andauthenticationtothenet-work),wherecloningmustdefinitelybeprevented.
Morethanonebillion(1)ofsuchmicrocontrollershavebeenalreadysoldbyAtmelandsuccessfullyimplementedinmanysecuresystems.
Atmel'ssecureproductswilladvantageouslyreplacecomplexandexpensiveproprietaryanti-tam-peringprotectionsystem.
Theiradvantagesincludelowcost,easeofintegration,highersecurity,proventechnology.
VersatilityThreesecuremicrocontrollerfamiliesareavailable:AT90SC,AT91SCandAT98SC.
TheAT90SCandAT91SCare"open"solutionswheretheimplementercandeveloptheirownon-chipapplica-tionusingavailableAtmelsoftwarelibraries.
Beyondthis,theAT98SCfamilychipsfeaturecomprehensiveembeddedfirmwarethatprovidesstandard,publicdomain-provencryptographicalgorithms.
Thisisdeemedsaferthanusingproprietaryalgorithms,sincetheirstrengthsorweak-nessesarewellstudiedbythescientificcommunity.
TheAT98SCwillbefurtherdescribedlaterinthispaper.
TamperingResistanceAT9xSCmicrocontrollersaredesignedtokeepcontentssecureandavoidleakinginformationdur-ingcodeexecution.
WhileonregularCPUs,measuringcurrentconsumption,radioemissionsandothersidechannelsattacksmaygivepreciousinformationontheprocesseddataorallowthemanipulationofthedata.
Atmel'ssecuremicrocontrollers'securityfeaturesincludevoltage,fre-quencyandtemperaturedetectors,illegalcodeexecutionprevention,tamperingmonitorsandprotectionagainstsidechannelattacksandprobing.
Thechipscandetecttamperingattemptsanddestroysensitivedataonsuchevents,thusavoidingdataconfidentialitybeingcompromised.
Thesefeaturesmakecryptographiccomputationssecureincomparisonwithregularmicrocontrol-lerswhosememoriescanbeeasilyduplicated.
Itismuchsafertodelegatecryptographicoperationsandstorageofsecretdata(keys,identifiers,etc.
)toanAtmelsecuremicrocontroller.
SuccessStoriesAtmelsecuremicrocontrollersalreadyhavesuccessfullybeenintegratedintoembeddedsystemsusingvariousformfactors.
Applicationsincludefrankingmachines,tachographs,set-topboxes,networkrouters,etc.
1.
ThebillionthwassoldinMarch20064SecureYourEmbeddedDevices6528A–SMIC–17May062.
SecureYourHardware–Anti-cloningSolutionsAtmelsecuremicrocontrollersareperfectlydesignedtosecureembeddedsystems.
Forexample,theAT98SCisespeciallygoodatpreventingtheconnectionofanunauthorized/fakesub-systemtoawidersystemofinterconnecteddevices(refertoFigure2-1).
Thisappliestoscenariosassim-pleasamobilephoneauthenticatingitsbattery(ensuringthebatteryisgenuine),oralittlemorecomplexsuchasaserverauthenticatinganetworkdevice.
Whenanunauthorized/counterfeitpartisdetectedbythesystem,theoverallfunctionalitycanbelimitedorevendenieddependingonthemanufacturer'spolicy.
Anti-cloningprotectiondoesnotneednottobe100%efficientastheresearchpresentedintheJune2006RSAConferencebyCryptographicResearch[CRI06]explains.
Theimplementedpro-tectionsmustmakecloningunprofitabletohackers:"[…therefore]usinghardwaretamper-resistantmicrocontrollersforcesattackerstobeinvasive,oruseverycomplexandexpensiveequipment.
"Figure2-1.
Authentication2.
1.
PreventtheCloningofYourHigh-techGoodsAnticloningissafelyimplementedthroughone-wayormutualstrongauthentication(1).
Variousauthenticationprotocolsexist(referto[ISO9798],[FIPS196]),buttheprinciplemethodisthefollowing:1.
Theauthenticatorsendsachallenge(e.
g.
arandomnumber)totheequipmentthatmustbeauthenticated("theclaimant").
2.
Theclaimantcomputesadigitalsignatureofthecombinationofthischallengewithanoptionalidentifier,usingaprivateorsecretkey.
Therequestedsignatureisthenreturnedtotheauthenticator.
3.
Theauthenticatorchecksthesignatureusingeitherthesamesecretkeyorthepublickeyassociatedtotheclaimant'sprivatekeyanddecideswhethertheclaimantisauthorizedornotbasedonthesignatureverificationresult.
Letusillustratethisprocesswiththeexampleofacellphone(theauthenticator)authenticatingabattery(theclaimant).
Thisexample(refertoFigure2-2)isbasedontheISO/IEC9798standard[ISO9798].
ThisapplicationcanbeimplementedusingtwoAT98SCchips–oneinthephoneandoneinthebattery.
Thebattery-sideAT98SCchipcontainsasecretkey(loadedduringbatterymanufacturing)thatcanneverbeextractedandisutilizedtocomputesignatures.
Consequently,theAT98SCmustbeclonedinordertomakecounterfeitbatterieswhichispracticallyimpossible.
1.
Strongauthentication:exchangeofmessagesduringwhichaclaimantprovesitsidentitytoaverifierbydemonstratingitsknowledgeofasecretbutwithoutrevealingit.
DEVICEHOSTATMELAreyouagenuinedeviceAreyouatrustedhostATMEL5SecureYourEmbeddedDevices6528A–SMIC–17May06Thephone'sAT98SCcontainsthesamesecretkey,eitherloadedduringphonemanufacturing,orremotelyupdatedthroughanencryptedcommunicationchannel.
ThebatterydoesnotneedamicrocontrollerotherthantheAT98SC–thephonecanbeconnecteddirectlytothebattery'ssecuremicrocontrollerthroughthebatterycontacts.
Figure2-2.
Cellphonebatteryanti-cloningsystemexampleAmoredetaileddescriptionofthescenarioisshownbelow:1.
Thephonesendsachallenge(randomnumber)tothebattery.
–Thephonesendsa"GetChallenge"commandtoitsAT98SC.
TheAT98SCsendsbacktherequestedchallenge.
–Thephonesendsan"InternalAuthenticate"commandtothebattery'sAT98SCwiththegeneratedchallenge.
Thebattery'sAT98SCthencomputesasignatureofthischallengeusingthesecretkey.
2.
Thephonereceivesthebattery'scomputedsignatureandforwardsittoitsownAT98SCforverification:–Thephonesendsan"ExternalAuthenticate"command,withthebattery'ssignature,toitsAT98SC.
–Thephone'sAT98SCreturnsthevalidation.
Thesametechniquecanbeappliedtoprintersauthenticatingcartridges,avideogameconsoleauthenticatingajoystick,aPC(orremotewebsite)authenticatingaportableMP3player,aserverauthenticatinganetworkdevice,etc.
Dependingonthecustomer'sinfrastructure,symmetrickeysystems(DES)maybepreferredtopublickeysystems(RSA).
Asageneralrule,thehostmustbecarefullydesignedsothattheperipheralauthenticationprocesscannotbebypassed.
Smartphone(authenticator)SignatureSignchallengewithsecretkeyVerifysignaturewithsecretkeyATMELATMELBatterysecretkeyGetChallengeOK/NOTOKInternalAuthenticate(Ch)Battery(claimant)ChallengeChGeneratearandomChExternalAuthenticate+SignatureAreyougenuineBatterysecretkey6SecureYourEmbeddedDevices6528A–SMIC–17May063.
SecureYourDigitalContent–DRMandSoftwareCopyProtectionAtmelsecuremicrocontrollerswillhelpwhenprotectingmultimediadata.
TheyaredesignedforkeyandcertificatemanagementusedinDRM,andsoftwareprotectionareas.
DRMsystemsthatdonotrunontamper-resistanthardwarecannot,theoretically,besecuresincedigitalcontentcanbecopiedatahardwarelevel.
3.
1.
DigitalRightsManagementAsanexample(refertoFigure3-1),letusseehowtobindamusicfiletoasinglemusicplayerbyusinganAT98SCmicrocontroller.
TheultimategoalofDRMistopreventaccesstoadigitalclear-textmusicfilethatcouldbecopiedinfinitelywithoutanydegradationinsoundquality.
Figure3-1.
Securemediaplayer1.
Provisioning(1):inapreliminarypersonalizationphase,themanufacturermakestheequipmentgenerateaspecifickeypair.
–Themanufacturingequipmentsendsa"GenerateKeyPair"commandtotheAT98SC.
Thegenerated"userprivatekey"remainsinternallystoredinafileontheAT98SCandcanneverbeextracted.
Theassociated"userpublickey"isreadfromtheequipmentandcertified(i.
e.
signedwitha"certificationauthority"privatekey).
ThecertificateisstoredbackintheAT98SC.
ThismakesitimpossibletohavevalidpublickeysgeneratedbysomethingelseotherthananAT98SCpersonalizedforthispurpose.
Moreover,thiscertificatebindsthegeneratedpublickeytotheequipmentidentifier.
1.
Provisioning:activityconsistinginloading/generatingusercredentials,cryptographickeys,identifiersintoequipment.
InternetPurchasedMusicfileMediaplayerMaincontrollerOnlinemusicstoreUserprivatekeyUserCertificationAuthorityIspublickeyvalidYESEquipmentpartIDUserpublickeyEncrypteddecryptionkeyEncryptedDATAPurchaseorderPurchasedmusicfiledownloadID:1234DecryptionkeyATMELSecureMicrocontrollerDecrypteddecryptionkeyPlaymusic!
1)2)3)4)5)6)EquipmentpartIDUserpublickey7SecureYourEmbeddedDevices6528A–SMIC–17May062.
Thecustomersendsapurchaseorder(refertostep1)inFigure3-1)togetherwithitsequip-mentpartIDandpublickeycertificate.
Themediaplayersendsthecommand:–"ReadRecord"tofetchthecertificatefromtheAT98SCfilesystem.
3.
Themusicproviderchecksthe"userpublickey"validity(steps2and3).
Verifyingthepublickeyisnecessaryotherwiseanyonecouldcreatetheirownpublickeypair,sendittothemusicstoreandthendecryptmusicfilesoutsideofDRM-enabledproducts.
4.
Themusicproviderencryptsthepurchasedmusicfilewitharandom,single-usage"encryp-tionkey"thatisinturnencryptedwiththecustomer's"userpublickey"(asaconsequence,nooneelsecandecryptthisdecryptionkey).
5.
Thecustomerdownloadstheencryptedmusicfileintotheirmediaplayer(step4).
Toplayit,theplayer'smaincontrollersendsthefollowingcommand:–"DecryptData",wheretheprovideddataistheencrypted"decryptionkey".
The"decryptionkey"isdecryptedthankstothecustomer's"userprivatekey".
6.
Thedecrypted"decryptionkey"issentbacktothemaincontroller(step5).
Themaincon-trollercannowdecryptthemusicdataandplayit(step6).
Asageneraldesignrule,thetransmissionofthedecryptedkeysbetweenthesecuremicrocontrollerandthemaincontrollermustbesecuredeitherlogically,byencryptingthecommu-nications,orphysically(offeringtamperprotection),orboth.
However,storingcryptographickeysintoacontrollerthatisnotdesignedtobesecureisdangerous.
3.
2.
On-the-flyEncryptionAtmelsecuremicrocontrollersfeatureon-the-flyencryption/decryptionfunctionsthatcanbeappliedtodatastreamswithareasonablebaudrate,forexample,encryptedvoicecommunications.
On-the-flyencryptionrequirestheuseofasymmetriccipheralgorithm(3DES,AES,etc.
),becausepublickeyalgorithmsaretooslow.
Insuchapplications,asymmetricsessionkeyisexchangedusingapublickeycryptographicprotocol(refertostep1)inFigure3-2).
Forthesakeofsimplicity,thisstepisnotdetailedhere.
SomeofthepossibleprotocolsincludeKerberos,AuthenticatedKeyExchangeProtocol,Diffie-Hellman,El-Gamal,andmore.
Figure3-2.
EncryptedvoicecommunicationOncethephoneshaveestablishedacommunicationchannelwithsymmetricsessionkeys:1.
Loadtheencryption/decryptionkeyintotheAT98SC:–Eachphonesendsa"ManageSecurityEnvironment"commandcontainingthesessionkeytoitsAT98SC.
1:Initiatecall(sessionkeyexchange)2:EncryptedVoicestreamATMELATMEL8SecureYourEmbeddedDevices6528A–SMIC–17May062.
Thenvoicestreamcanbeciphered/decipheredforaslongasthecommunicationlasts(step2):–Foranoutgoingvoicestream,theAT98SCwillinstantlyencryptthedigitizedvoicestreamwiththe"Encryptdata"command.
–Foranincomingvoicestream,theAT98SCwillinstantlydecryptthedigitizedvoicestreamwiththe"Decryptdata"command.
3.
3.
SoftwareProtectionSoftwarecopyprotectionissecurelyachievedbyputtingvitalsensitivefunctionsintoasecuremicrocontrollerintegratedinaUSBdongle.
Ifthedonglecannotbecloned,thesoftwareisuse-less.
Thesoftwaredesignneedstoberesistanttoreverseengineeringsothedongleisalwaysmandatorytothesoftwarefunctioning.
9SecureYourEmbeddedDevices6528A–SMIC–17May064.
SecureYourPrivacy–Multi-factorUserAuthenticationSolutionsThemethodstoauthenticatehumansaregenerallyclassifiedintothreecases:physicalattribute(e.
g.
fingerprint,retinalpattern,facialscan,etc.
),securitydevice(e.
g.
IDcard,securitytoken,soft-waretokenorcellphone),andsomethingtheuserknows(e.
g.
apassword/passphraseorapersonalidentificationnumber).
Tofightagainstidentitytheft,themulti-factorauthenticationisastrongeralternativetotheclassi-callogin/passwordauthentication(calledweakauthentication).
Itcombinestwoormoreauthenticationmethods(oftenapasswordcombinedwithasecuritytoken).
Two-factorsystemsgreatlyreducethelikelihoodoffraudbyrequiringthepresenceofaphysicaldeviceusedtogetherwithapassword.
Ifthephysicaldeviceislostorthepasswordiscompromised,securityisstillintact.
ThereadercanrefertoNIST's[SP800-63]forfurtherdetails.
Multi-factorauthenticationrequiresastrongauthentication.
Anticloningissafelyimplementedthroughone-wayormutualstrongauthentication.
Variousauthenticationprotocolsexist(referto[ISO9798],[FIPS196]),buttheprinciplemethodisthefollowing:methodtocomplementthepass-wordauthenticationandthisstrongauthenticationmethodrequiresstoringsecretdata.
Puresoftwaremulti-factorsolutionsarethusnotreliable.
Ifsensitivedataisstoredinfilesonaharddisk,evenifthosefilesareencrypted,thefilescanbestolen,clonedandsubjectedtovariouskindsofattacks(e.
g.
bruteforceordictionaryattack(1)onpasswords).
Thereforesecuremicrocon-trollers-basedhardwaretokensareamust.
Placingsecretsoutsidethecomputeravoidsriskingexposuretomalicioussoftware,securitybreachesinwebbrowsers,filesstealing,etc.
NumerouscompaniesarenowprovidingauthenticationsolutionsbasedonUSBtokens.
TokensconnectedthroughUSBareaconvenientsolutionsincetheyrequirenoadditionalhardware.
Atmel'sturnkeyUSBsecuremicrocontrollersolutionscanhelpprovidersfocusontheirsecuritymodelandtheirapplicationwithoutloosingtoomuchtimeontamperprotectionandothercomplexhardwaresecurityconcerns.
4.
1.
USBtokenscommonfeaturesTheUSBtokensaregenerallyableto(refertoFigure4-2):PerformchallengeresponseauthenticationThischallengeresponseprotocolisconsideredastrongauthenticationmethod.
AsshowninFigure4-1,hkisadigitalsignatureoperation(suchasDES,RSA,ellipticcurve(ECC)signa-ture,etc.
).
The"||"operatoristhe"concatenation"operator.
Figure4-1showshowadevicecanrequireassistancefromasecuremicrocontrollertoidentifyitselftothehost.
Notethattheusageof"challenges"(randomnumbers,infact)preventsobviousreplayattacks.
Insuchaprotocol,theclaimantentity(inthiscase,thedevice)canproduceacorrectsignatureonlyifitknowstherightsecret/privatekey.
Ifmanydevicessharethesamekey,identifierscanalsobeinvolvedintheauthenticationprocesstodistinguishbetweendevices.
1.
Bruteforceattack,dictionaryattack:hackingtechniquesthatconsistintryingcommonlyusedpasswords(dictionaryattack)oreverycharactercom-bination(bruteforce)toguessapassword.
10SecureYourEmbeddedDevices6528A–SMIC–17May06Figure4-1.
Challenge-responseunilateralauthenticationPerformone-timepasswordgeneration.
One-timepassword(OTP)isanotherstrongauthenticationmethodthathastheadvantageofbeingusableoversimplemediasuchasphones(theOTPisdialed).
Thismethoddoesnotrequirecomplexcomputationsaswithchallenge-responseauthentication.
Theprinciplemethodofone-timepasswordsisasfollows(pleasereferto[RFC1760]forfur-therdetails).
Letusassumewehaveaclientandaserver.
Inapreliminaryprovisioningstep,alistofpasswordsisgeneratedontheclientsideusingaclient'ssecretpassphraseandaseed(1)fromtheserver(itiscomputationallyinfeasibletoguesspasswordN+1frompasswordN,butontheserverside,verifyingthatpasswordN+1iscorrectisstraightforwardknowingpasswordN).
Then,duringnormalusage,theuseridentifieshimselftothe"authenticator"andprovidesthenextpasswordinthelist.
Sinceanewpasswordisusedoneachauthenticationattempt,andthispasswordcannotbere-used,thereisnoriskofitbeingcompromised.
BesidesRFC1760,manyotherOTPimplementationsexistbutstandardizationispendingtoenableinteroperabilitybetweenvariousauthenticationsystems(referto[OATH],[RSA-OTP]).
Performtokenholderauthentication.
Thisfeatureisusedtounlockthetokenandprotectagainstlossortheft.
Thisauthenticationcanbedoneusingasimplepassword,orthroughbiometricauthentication,andisnecessarytopreventtokenaccesswhenlostorstolen.
Notethatbiometricauthenticationmethodsmustneverbeusedinplaceofapasswordforonlinesubmission(ifstolen,youridentityiscompromisedforever)buttheyproveusefulforofflineusage(e.
g.
unlockhardware)because:–Theyhavenoriskofbeingforgotten–Thereisnoneedtowriteitdownsomewhere–Theyareimpossibletocounterfeit(whereasbadpasswordscanbeguessed)1.
seed:(pseudo-)randomnumberDEVICESecureMicrocontrollerInternalauthenticate+ChMutualauthenticationrequest+hostchallenge(Ch)HOSTDevicesignatureDevicesignaturehk(Cd||Ch)+Devicechallenge(Cd)Generatesignatureusinghostchallenge,devicechallengeandaprivate/secretkeyGeneratearandomhostchallengeGeneratearandomdevicechallengeVerifysignatureusinghostchallenge,devicechallengeandapublic/secretkey11SecureYourEmbeddedDevices6528A–SMIC–17May06Figure4-2.
HardwaretokencommonfeaturesBesidesthemulti-factorauthentication,thefollowingsecondaryfeaturesareoftenusedinsuchtokens:–Singlesign-on.
Singlesign-onenablesuserstoenter,once,amasterlogin/passwordontheUSBtokenandthengainaccesstoapersonaldatabaseoflogin/passwordentriesassociatedtowebsiteURLs.
Thisenablesaseamlessuserloginonvariouswebsitesduringbrowsing.
–Certificatestorage.
USBtokenscanstoreusercertificatesforauthenticationandprivatekeysfordocumentsignature.
Storingprivatekeysonaprotectedhardwaretokenpreventsanyoneotherthanthelegitimateusersigningdocuments.
–Tokensharing.
Currently,mostwebapplicationsrequiretheirownhardwaretoken(oneforeachbank,onefortheonlinebookstore,etc.
).
Themultiplicationoftokenscurrentlydeterstheirutilization.
Sotokensharingisanattempttoputmultipleauthenticationapplicationsintoasingletoken.
–PKCS#11API(RSA)orMS-CAPI(Microsoft).
ThesearestandardizedPCcomputersoftwarelibrariesthatofferhigh-levelcryptographicservices(digitalsignature,keygenerationandstorage,encryption/decryption,etc.
)thataremostlyusedbywebbrowsersbutareavailabletovirtuallyanyapplication.
Thecryptographicservicescanbeimplementedaspuresoftwareorrelyonahardwaretokenthroughadedicateddriver.
Atmelsecuremicrocontrollersperfectlyfitas[PKCS11]or[MS-CAPI]complianthardwaretokens.
LaptopUSBTokenBiometricsensorFlashmemorySecuremicrocontrollerUSBinterfaceWebserverUserUNLOCKSAUTHENTICATIONBROWSESUSBFileSystemCertificatesPasswordsKeysWebbrowserPKCS#11APIPKCS#11DriverCryptoAuthenticationSignatureDigestEncryptionRandomLocalAreaNetworkLOGIN12SecureYourEmbeddedDevices6528A–SMIC–17May064.
2.
Implementahigh-endUSBtokenThefollowingexampleshowshowtouseanAtmelsecuremicrocontrollertorapidlydevelopsim-ple,yetverysecure,hardwaretokensformulti-factorauthenticationsolutions.
Asacomprehensiveexample,wearegoingtoshowhowtointerfaceanAtmelUSBsecuremicrocontrollerwithAtmelfingerprintsensors(referto[ATM-FIN])andAtmelFlashmemorymassstoragethroughanSPIbus(subsetsofthiscomprehensivesolutioncanbeevenmoreeasilyimplemented).
RefertoFigure4-3below.
Figure4-3.
OTP-enabled,massstoragebiometricUSBtokenScenario#1:Theuserwantstologintotheirfavoritee-bankingwebsitewhichrequiresaone-timepassword.
1.
TheuserconnectstheirUSBtokentothePC.
2.
Theuserprovidesapassword/fingerprinttotheirUSBtokentoprovetheyarealegitimateuser.
Inthecaseofapasswordlockanddependingonthesystem,thepasswordmaybeenteredontheUSBtokendevice,ifithasanentrydevice,ortypedonthePCandtransmit-tedtothetoken.
DirectentryisthepreferredmethodbecausewhenenteredonaPC,keyboardloggersorUSBspiesmayintercepttheuser'ssecretdata.
AfingerprintmustalwaysbecaptureddirectlyontotheUSBtoken.
Inthecaseofapasswordlock,thefollow-ingsequenceofcommandsmustbesenttothesecuremicrocontroller:–Selecttheauthenticationapplication(Selectcommand)–Requestarandomnumber(GetChallengecommand)–Combinethepasswordwiththechallenge(usingamathematicalfunctioncalled"hash")andsubmitthecombination(SubmitPasswordcommand).
Ifsuccessful,accesstothesecuremicrocontrollercryptographicfeaturesanduserpersonaldataisthenunlocked.
PCapplications(e.
g.
webbrowser)canthenrequestcryptographicoperationsthroughthePKCS#11API.
3.
TheusertypestheURLoftheonlinebankingwebsiteintothewebbrowserandentersitsidentifierontheuseridentificationscreen.
4.
ThewebbrowserapplicationnowcallsthePKCS#11APItoretrieveanOTPusingtheC_Signfunction.
Inturn,thePKCS#11driversendsa"GetOTP(n)"commandtotheUSBtokenwhichwillreturnthenthOTP,sincetheuserhasunlockedtheirtoken.
Thispasswordisthentransmittedtothewebsite.
Ausertwo-factorstrongauthenticationhasbeenperformed.
FLASHATMELUSBSPIBusFingerprintsensor13SecureYourEmbeddedDevices6528A–SMIC–17May06Scenario#2:TheusersignsanimportantdocumentstoredonaFlashmassstoragedevice.
1.
Asinscenario#1,theuserconnectsthetokenandunlocksitthroughtherelevantholderauthenticationmethod.
2.
SpecialcommandsnowallowthePCtoaccesstheFlashmemory,decryptedon-the-flybythesecuremicrocontroller,whichholdstheencryptionkeys.
TheusergetsthedocumentontotheirPC.
3.
Upontheuser'srequest,thedocumentissignedbythetokenusingthe"GenerateSigna-ture"command.
14SecureYourEmbeddedDevices6528A–SMIC–17May065.
TheNewAT98SCFamilyTheAT98SCisanewmicrocontrollerfamilybasedonthetechnologyimplementedontheAT90SCandAT91SCseries.
Itsembeddedfirmwareprovidesaturnkeysolutionfortheapplica-tionsexplainedaboveandmanymore!
TheAT98SCfamilyprovidesagenericsolutiontothesecuritythreatsstatedinthispaper.
TheAT98SCfamilyisanalternativetoTrustedPlatformModules(TPM)fortheembeddedmarket(referto[ATM-TPM]).
AT98SCfamilymembersoffermore-flexibleinterfacesthanTPMswithalowerpincount.
ThekeymanagementcanalsobefreelycustomizedandisnotasstringentasonTPMs.
5.
1.
Flexibility.
RapidDevelopment/IntegrationforEmbeddedProductsCurrently,theAT98SCfamilymembersfeature(referto[ATM-AT98]forfurtherdetails):VariouscommunicationinterfacesincludingSPI(SerialProtocolInterface)andUSB(UniversalSerialBus)Lowpincount(Reset,Vcc,GND,andcommunicationinterfacespecificpins)sointegrationintoanexistingboardissimple.
AT98SCchipsareavailableinsmallpackages(QFN44)tofitintothemostsize-constraineddevices.
Lowpowerconsumption,inordertoextendbatterylifeinportabledevicesandlow-powersystems.
AT98SCdevicesconsumelessthan100Ainstandbymode,andonly5to15mAduringCPU(1)-intensiveoperationsdependingontherequiredaction.
Embeddedfirmwarethatprovidesadvancedfunctions:–Securefilesystem:afullyuser-definednonvolatilestorageofsensitiveorsecretdata.
Partsofthefilesystemcanbepassword-protected.
Italsostorestheconfigurationofthecryptoalgorithms.
–Administrationmodetomanagechipinternals,securityfeatures,cryptographicconfigurationandfilesystemcontents.
ItallowsdownloadingdataintotheAT98SCfilesystemusinganencryptedchannelwithsessionkeys.
–Commandsettoperformcryptographicoperationsusingkeysanddatafromthefilesystemincluding:authentication,digitalsignature,encryption/decryption,hash,random,publickeypairgeneration.
–Cryptographicalgorithms:RSAPKCS#1v2.
1[PKCS1],EC-DSA[FIPS186],[ISO9797]MACusing3DES.
–Cryptographicprotocols:[ISO9798]secret-keyunilateralormutualauthenticationand[FIPS196]publickeybasedunilateralormutualauthentication.
–Robustcommunicationprotocolstackedoverthephysicalcommunicationinterfaces.
Anevaluationkit(AT98SC-EV1)PleaserefertotheAT98SCfamilyroadmap(2)foradetailedscheduleofnewfeaturessuchas:–X.
509certificateverification/generation–HOTPalgorithm(referto[OATH])–TWI(Two-Wireinterface),UART(UniversalAsynchronousReceiverTransmitter)–SOIC-8packageorsimilar1.
CPU:CentralProcessingUnit2.
ContactyourlocalAtmelsalesoffice.
15SecureYourEmbeddedDevices6528A–SMIC–17May065.
2.
CustomizeYourSecurityCurrently,itisnotpossibletoloadusercodeontheAT98SCdevices.
Forthatreason,thePythonprogramminglanguagesupportisplanned.
Avirtualmachine-basedPythonexecutionenvironmentwillallowafullcustomizationoftheAT98SCoperation.
CustomerswillbeabletoeasilydeveloptheirownsetofapplicationsembeddedintheAT98SCchipsusingahigh-levellan-guagewithoutbotheringwithlow-levelhardwareconsiderations.
ThePythonlanguageisalreadysuccessfullyusedwithintheindustry(Philips,NASA,LucasfilmsLtd,AstraZenecaInternational,Nokia,etc.
)andoffersalow-costsolutionbecauseitislicense-free.
ThePythonlanguageisalsousedinportabledevices,themostfamousexamplebeingtheNokiaSeries60SmartphoneembeddingafullPythoninterpreter(see[NOKIA]).
Moreover,freeyetefficientdevelopmenttoolsarealreadyavailable(basedonIBM'sEclipseIDE).
Pythonisappreciatedforitsfastlearningcurve,fastapplicationdevelopment,maintainability,andreadabil-ityofsourcecode(See[PYTH-ST]).
6.
ConclusionHigh-techgoodscounterfeiting,multimediacontentcopyingandidentitythefthaveanincreasingcosttoindustryandconsumers.
Besidesthefewexamplespresentedherein,AT9xSCseriesmicrocontrollerscansuccessfullyprotectabroadrangeofapplicationsagainstthesethreatsamongothers.
Typically,theextracostofasecuritychipremainsnegligiblecomparedtothederivedbenefits.
Withtheirembeddedfirmware,AT98SCmicrocontrollersallowaneveneasierimplementationofsecuredembeddedsystems.
16SecureYourEmbeddedDevices6528A–SMIC–17May067.
References[AEPOC]EuropeanAssociationfortheProtectionofEncryptedWorksandServices,Web:http://www.
aepoc.
org[ATM-AT98]AT98SC008CTDescription,Atmel,Web:http://www.
Atmel.
com/dyn/products/product_card.
asppart_id=3882[ATM-FIN]AT77C105A-FingerChipsensordescription,Atmel,Web:http://www.
Atmel.
com/dyn/products/product_card.
asppart_id=3609[ATM-TPM]TrustedPlatformsforHomelandSecurity,Web:http://www.
Atmel.
com/dyn/resources/prod_documents/doc5062.
pdf[CNN]Web:http://www.
cnn.
com/2003/TECH/internet/11/27/itunes.
code.
ap[CRI06]AttackoftheClones:BuildingClone-ResistantProducts,RSA2006,Web:http://www.
cryptography.
com/resources/whitepapers/Clone-Resistance2006.
pdf[FACT]FoundationforArtandCreativeTechnology,Web:http://www.
fact.
co.
uk[FINE]USbanksgivenauthenticationdeadline,Oct2005,Web:http://www.
finextra.
com/fullstory.
aspid=14389[FIPS186]FIPS-PUB186,DigitalSignatureStandard,1994,Web:http://www.
itl.
nist.
gov/fipspubs/fip186.
htm[FIPS196]Entityauthenticationusingpublickeycryptography,1997February18,Web:http://www.
itl.
nist.
gov/fipspubs/fip196.
htm[GAR05]GartnerSurveyShowsFrequentDataSecurityLapsesandIncreasedCyberAttacksDamageConsumerTrustinOnlineCommerce,2005PressReleases,Web:http://www.
gartner.
com/press_releases/asset_129754_11.
html[ISO9797]ISO/IEC9797,"Informationtechnology–Securitytechniques–Dataintegritymecha-nismusingacryptographiccheckfunctionemployingablockcipheralgorithm",InternationalOrganizationforStandardization,Geneva,Switzerland,1994(secondedition).
[ISO9798]ISO/IEC9798-2,"Informationtechnology–Securitytechniques–Entityauthentication–Part2:Mechanismsusingsymmetricenciphermentalgorithms",InternationalOrganizationforStandardization,Geneva,Switzerland,1994(firstedition).
[JAV06]2006IdentityFraudSurveyReport,JavelinStrategyandResearch,January2006.
[KPMG05]KPMGReport-ManagingtheRisksofCounterfeitingintheInformationTechnologyIndustry,2005[MERC]Counterfeitsinundatinghigh-techmarket,D.
Takahashi(MercuryNews),Web:http://www.
siliconvalley.
com/mld/siliconvalley/13774284.
htm[MS-CAPI]TheCryptographyAPI,orHowtoKeepaSecret,RobertColeridge(MSDNTechnologyGroup),August19,1996,Web:http://msdn.
microsoft.
com/library/default.
aspurl=/library/en-us/dncapi/html/msdn_cryptapi.
asp[NOKIA]PythonTMforseries60,Web:http://www.
forum.
nokia.
com/python[OATH]IETFHMACOTPDraft4-InitiativeforOpenAuTHentication,Web:http://www.
openauthentication.
org/pdfs/HMAC_OTP_DRAFT_4.
pdf[PKCS1]PKCS#1:RSACryptographyStandard,Web:ftp://ftp.
rsasecurity.
com/pub/pkcs/pkcs-1/pkcs-1v2-1.
pdf[PKCS11]PKCS#11v2.
20:CryptographicTokenInterfaceStandard,Web:ftp://ftp.
rsasecurity.
com/pub/pkcs/pkcs-11/v2-20/pkcs-11v2-20.
pdf17SecureYourEmbeddedDevices6528A–SMIC–17May06[PYTH-ST]PythonSuccessStories,Web:http://www.
python.
org/about/success[RFC1760]TheS/KEYOne-TimePasswordSystemFebruary1995,Web:http://rfc.
net/rfc1760.
html[RSA-OTP]PKCS#11v2.
20Amendment1:PKCS#11mechanismsforOne-TimePasswordTokens,Web:ftp://ftp.
rsasecurity.
com/pub/pkcs/pkcs-11/v2-20/pkcs-11v2-20a1.
pdf[SP800-63]ElectronicAuthenticationGuideline,NISTSpecialPublication800-63,Web:http://csrc.
nist.
gov/publications/nistpubs/800-63/SP800-63v6_3_3.
pdf[USPTO]UnitedStatesPatentsandTrademarksOffice,Web:http://www.
uspto.
gov/main/profiles/stopfakes.
htm[WPD-DE]DeCSSarticle,Web:http://www.
wikipedia.
org/wiki/DeCSS6528A–SMIC–17May06AtmelCorporation2006.
Allrightsreserved.
Atmel,logoandcombinationsthereof,EverywhereYouAreandothers,areregisteredtrademarksortrademarksofAtmelCorporationoritssubsidiaries.
Othertermsandproductnamesmaybetrademarksofothers.
Disclaimer:TheinformationinthisdocumentisprovidedinconnectionwithAtmelproducts.
Nolicense,expressorimplied,byestoppelorotherwise,toanyintellectualpropertyrightisgrantedbythisdocumentorinconnectionwiththesaleofAtmelproducts.
EXCEPTASSETFORTHINATMEL'STERMSANDCONDI-TIONSOFSALELOCATEDONATMEL'SWEBSITE,ATMELASSUMESNOLIABILITYWHATSOEVERANDDISCLAIMSANYEXPRESS,IMPLIEDORSTATUTORYWARRANTYRELATINGTOITSPRODUCTSINCLUDING,BUTNOTLIMITEDTO,THEIMPLIEDWARRANTYOFMERCHANTABILITY,FITNESSFORAPARTICULARPURPOSE,ORNON-INFRINGEMENT.
INNOEVENTSHALLATMELBELIABLEFORANYDIRECT,INDIRECT,CONSEQUENTIAL,PUNITIVE,SPECIALORINCIDEN-TALDAMAGES(INCLUDING,WITHOUTLIMITATION,DAMAGESFORLOSSOFPROFITS,BUSINESSINTERRUPTION,ORLOSSOFINFORMATION)ARISINGOUTOFTHEUSEORINABILITYTOUSETHISDOCUMENT,EVENIFATMELHASBEENADVISEDOFTHEPOSSIBILITYOFSUCHDAMAGES.
Atmelmakesnorepresentationsorwarrantieswithrespecttotheaccuracyorcompletenessofthecontentsofthisdocumentandreservestherighttomakechangestospecificationsandproductdescriptionsatanytimewithoutnotice.
Atmeldoesnotmakeanycommitmenttoupdatetheinformationcontainedherein.
Atmel'sproductsarenotintended,authorized,orwarrantedforuseascomponentsinapplicationsintendedtosupportorsustainlife.
AtmelCorporationAtmelOperations2325OrchardParkwaySanJose,CA95131,USATel:1(408)441-0311Fax:1(408)487-2600RegionalHeadquartersEuropeAtmelSarlRoutedesArsenaux41CasePostale80CH-1705FribourgSwitzerlandTel:(41)26-426-5555Fax:(41)26-426-5500AsiaRoom1219ChinachemGoldenPlaza77ModyRoadTsimshatsuiEastKowloonHongKongTel:(852)2721-9778Fax:(852)2722-1369Japan9F,TonetsuShinkawaBldg.
1-24-8ShinkawaChuo-ku,Tokyo104-0033JapanTel:(81)3-3523-3551Fax:(81)3-3523-7581Memory2325OrchardParkwaySanJose,CA95131,USATel:1(408)441-0311Fax:1(408)436-4314Microcontrollers2325OrchardParkwaySanJose,CA95131,USATel:1(408)441-0311Fax:1(408)436-4314LaChantrerieBP7060244306NantesCedex3,FranceTel:(33)2-40-18-18-18Fax:(33)2-40-18-19-60ASIC/ASSP/SmartCardsZoneIndustrielle13106RoussetCedex,FranceTel:(33)4-42-53-60-00Fax:(33)4-42-53-60-011150EastCheyenneMtn.
Blvd.
ColoradoSprings,CO80906,USATel:1(719)576-3300Fax:1(719)540-1759ScottishEnterpriseTechnologyParkMaxwellBuildingEastKilbrideG750QR,ScotlandTel:(44)1355-803-000Fax:(44)1355-242-743RF/AutomotiveTheresienstrasse2Postfach353574025Heilbronn,GermanyTel:(49)71-31-67-0Fax:(49)71-31-67-23401150EastCheyenneMtn.
Blvd.
ColoradoSprings,CO80906,USATel:1(719)576-3300Fax:1(719)540-1759Biometrics/Imaging/Hi-RelMPU/HighSpeedConverters/RFDatacomAvenuedeRochepleineBP12338521Saint-EgreveCedex,FranceTel:(33)4-76-58-30-00Fax:(33)4-76-58-34-80LiteratureRequestswww.
atmel.
com/literature