Implement secure authentication without being an expert in cryptography
“Digital security is one of the most well-known topics in Electronic design today. Encryption is probably the first word that comes to mind when engineers think about security, and only a few engineers think of authentication. However, authentication is an essential function of a secure device or transaction.
Authentication is important. Thanks to existing silicon-based solutions, we can enable authentication without needing to be experts in cryptography implementation.
Digital security is one of the most well-known topics in electronic design today. Encryption is probably the first word that comes to mind when engineers think about security, and only a few engineers think of authentication. However, authentication is an essential function of a secure device or transaction.
Consider identity verification in terms of home banking. Obviously, you want to encrypt confidential information like balances and account numbers. This happens when your internet browser displays a green lock with https://. That is, the first thing the internet browser checks when establishing a secure connection is that the bank website is authentic; in other words, it authenticates the bank website. Without authentication, you could be sending login and password information to impersonation sites, which can be very harmful indeed, as those credentials can be further reused to run any kind of unauthorized activity on behalf of an unsuspecting bank account holder transaction. Secure internet browsing is usually achieved through the TLS/SSL protocol, which, in addition to encryption, ensures authenticity and confidentiality.
Authentication is also important for Internet of Things (IoT) applications: untrusted endpoints can put entire infrastructures at risk. Let us consider a smart meter connected to an electrical distribution system. One easy way for attackers to compromise the grid is to load viruses or malware into smart meters. Infected meters can then send false messages to the infrastructure that reflect power consumption that is significantly different from actual power consumption, which in turn can cause the grid to become unbalanced. If the grid overreports, it will cause the seemingly excess power to be diverted elsewhere, but if the grid underreports, it will cause a surge in power; in the worst case, the attack could trigger a total blackout by disrupting the balance of the grid. To avoid this, it is necessary to verify that the meter’s hardware and its firmware are genuine. The process of verifying firmware is called Secure Boot.
Implement a valid authentication method
Now that we understand its importance, let’s discuss how to implement authentication. The easiest method of authentication is to use a password. In our smart meter example, the device could send a code to the grid control system. The server will verify the password and then authorize further transactions. While this approach is easy to understand, it’s not by far the best. An attacker can easily monitor communications, record the password, and reuse it to authenticate non-genuine devices. Therefore, we consider password-based authentication to be weak.
A better way to perform authentication in the digital world is the challenge-response method. Let’s look at two flavors of challenge-response methods: one based on symmetric cryptography and the other based on asymmetric cryptography.
Symmetric password authentication
Authentication based on symmetric encryption relies on a shared secret. The host and the device to be authenticated have the same keycode. The host sends a random number, the challenge, to the device. The device computes a digital signature as a function of the key and challenge and sends it back to the host. The host then runs the same calculation and compares the results. If the two calculations match, the device is authenticated (Figure 1). To ensure that results cannot be imitated, functions with sufficient mathematical properties must be used. For example, secrets cannot be retrieved without forcing the computation of the result. Secure hash functions such as SHA-256 support these requirements. For the challenge-response method, the device proves that it knows the secret without revealing the secret. Even if an attacker intercepts the communication, the attacker still cannot access the shared secret.
Figure 1. Authentication based on symmetric encryption relies on key numbers shared between host and device.
Asymmetric cryptographic authentication
Authentication based on asymmetric encryption relies on two keys: a private key and a public key. The private key is known only to the device to be authenticated, while the public key can be revealed to any entity willing to authenticate the device. As with the previously discussed method, the host sends a challenge to the device. The device computes a signature based on the challenge and private key and sends it back to the host (Figure 2). But here, the host uses the public key to verify the signature. It is also important that the function used to compute the signature has certain mathematical properties. The most commonly used functions for asymmetric schemes are RSA and ECDSA. Here, too, the device proves that it knows a secret, the private key, without revealing it.
Figure 2. Asymmetric key authentication relies on public and private keys.
Why Secure ICs Are Good for Authentication
Challenge-response authentication always requires the object to be authenticated in order to preserve the secret. In symmetric encryption, this is a shared secret between the host and device. For asymmetric encryption, this is the private key. Regardless, the security brought about by challenge-response authentication breaks when secrets are leaked. This is where security ICs can help. An essential property of a security IC is to provide strong protection of keys and secrets.
Maxim offers three families of authentication-enabled solutions:
Authentication ICs: These are configurable but fixed-function devices that provide the most cost-effective way to implement challenge-response authentication, along with a compact set of cryptographic operations.
Secure microcontrollers: In addition to supporting challenge-response authentication, these devices provide a full suite of cryptographic functions, including encryption.
Low Power Microcontrollers: While these products are not specifically targeted at security, they have all the building blocks needed to enable strong authentication.
Among authentication ICs, SHA-256-based products support authentication using a shared secret (Figure 3), while ECDSA-based ICs use private/public key pairs (Figure 4). In addition to the encryption engine, these products also have on-board EEPROM memory. This memory is configurable and can be used to store authenticated user data, such as calibration information for sensors.
Products based on SHA-256 are the most cost-effective solution. While they enable mutual authentication, the distribution of the shared key requires some precautions so that the key is not exposed during device manufacture and setup. This secret can be programmed at the Maxim factory to circumvent this shortcoming.
Figure 3. SHA-256 secure authentication is based on a shared secret.
Maxim’s DS28E15/DS28E22/DS28E25 ICs are based on SHA-256 technology and have different internal memory sizes. Since the same key is stored on the host side and the device side, it is recommended to use a coprocessor such as the DS2465 on the host side.
Products based on asymmetric encryption (such as DS28C36 and DS28E35) provide a more flexible solution because there is no need to protect the key from host-side disclosure. However, to offload public-key math and provide additional security operations, a host-side coprocessor such as the DS2476 (a companion IC to the DS28C36) can be used to simplify system solution development.
Figure 4. ECDSA-based authentication relies on private/public key pairs.
Secure microcontroller supporting symmetric and asymmetric encryption
Maxim offers secure microcontrollers ranging from the MAX32590 (ARM9 operating at 384MHz) application-grade processors that can run high-level operating systems such as Linux, to small form factor coprocessors such as the MAX32555 or MAXQ1061.
These microcontrollers support symmetric and asymmetric encryption and cryptographic algorithms for digital signatures and authentication. They feature hardware accelerators for SHA, RSA, ECDSA, and AES, as well as a complete cryptographic library, providing a standards-compliant turnkey API. They have a built-in secure boot feature, so the authenticity of the firmware is always guaranteed. They can handle a wide variety of authentication schemes due to their comprehensive set of encryption features.
The MAXQ1061 is a coprocessor that not only supports authentication, but also handles the most critical steps in the TLS/SSL standard IP-secure communication protocol. Processing the TLS protocol on-chip increases the level of security and offloads the main processor from computationally intensive tasks. This is very valuable for resource constrained embedded systems.
low power microcontroller
Low-power microcontrollers such as the MAX32626 are targeted at wearable devices and thus are not “safety-focused” ICs. However, the product is designed with future security challenges in mind as attacks become more frequent. Therefore, the MAX32626 has a hardware trust protection unit that supports authentication as well as hardware AES for encryption and built-in secure boot.