Microchip ATSHA204A Manual de Usario

Lee a continuación 📖 el manual en español para Microchip ATSHA204A (18 páginas) en la categoría No categorizado. Esta guía fue útil para 8 personas y fue valorada con 4.5 estrellas en promedio por 2 usuarios

Página 1/18
CryptoAuthentication™ Product Uses
Abstract
Companies are continuously searching for ways to protect property using
various implementations of security; however the cost of implementation can
drive companies away from effective hardware solutions to less secure
software solutions. With the introduction of the AT88SA10HS/102S devices,
affordable hardware security is now in reach and can provide exceptional
protection for:
CryptoAuthentication
Product Uses
AT88SA10HS
AT88SA102S
Application Note
8663B–SMEM–3/09
Confidential file protection
Embedded software anti-cloning
Development system anti-cloning
Media transmission encryption
USB security dongles
Securing wireless or other radio transmission nodes
Authentication for data over power lines
Physical access control
Electronic lockers
Hardware user authentication
Consumable product authentication
Battery authentication.
1. Overview
This document provides an introduction to the Atmel AT88SA10HS/102S
CryptoAuthentication devices. These exceptional devices enable solutions to
countless problems across many industries. The use cases outlined in this
document will provide a brief description of possible applications for the
AT88SA10HS/102S devices and how they can be implemented.
2. AT88SA10HS/102S Introduction
To understand the operations and applications explained later in this
document you will first need to have a basic understanding of the
AT88SA10HS/102S devices and how they work. The AT88SA10HS and
AT88SA102S were developed to work together. The AT88SA102S is
designed to be embedded in the product that is protected or authenticated
(client) and the AT88SA10HS device is designed to be placed in the
validating system (host). The AT88SA102S client device can be used with or
without the host side device. When the AT88SA102S is used without the
host side AT88SA10HS chip the host microcontroller must store secret
information in order to perform the validation of the client. Having the secret
information stored in the embedded source code presents a security risk as
the secrets may be ascertained with little effort. For the strongest security
the AT88SA10HS host device should be used; this keeps the customer’s
secret keys protected securely in hardware away from hackers attempting to
reverse engineer the host embedded code.
2 CryptoAuthentication™ Product Uses
8663B–SMEM–3/09
The AT88SA10HS/102S devices uses a cutting edge SHA-256 engine embedded in hardware as the heart of their
security architectures. In the most basic operation the device is sent a challenge to which it will respond with a unique
response that only it can produce. Since challenge and response pairs are nearly infinite for each device, each device
can be used indefinitely without fear of repeating the same challenge-response pair. The response generated by the
device is created by hashing the input challenge with a secret key stored in protected memory thus a particular device
will always respond exactly the same to a given challenge. A product using the AT88SA10HS/102S can be configured
so that the entire product line uses the same key or so that each device has a unique key. The response that a
particular device will produce can only be reproduced by something that knows the key that is stored in the device.
3. Secure Key Exchange
In addition, the AT88SA102S device can be used for secure key exchange. If the device is used in conjunction with a
symmetric encryption algorithm such as AES or DES an end-to-end encrypted transmission can be created. In the case
of symmetric encryption the weakest link is securely transferring the keys to encrypt and decrypt the data at each end.
The AT88SA102S can facilitate this by using the unique response produced by the device as a key to the symmetric
encryption algorithm. This is done be sending a random challenge to a system that contains the key stored in the
AT88SA102S and then encrypting the message with the system response. The message and the random challenge
are then sent to the client device where the challenge is feed into AT88SA102S and the response from the
CryptoAuthentication chip is used as a key to decrypt the message.
4. Key Diversification
Key diversification is highly recommended when using the CryptoAuthentication device. The device is designed with an
embedded 265bit key that is never exposed. This 256 bit key is always used during the MAC hashing operation of the
SHA-256 engine, however, additional bits can be incorporated into the result as well. CryptoAuthentication also
provides a 62 bit customer secret that can be burned into fuses in the device once, and after which can never be read.
In addition to the 62 bit secret an additional 23 bits of incremental blow fuses can be used as needed by the customer.
All of these methods as well as the incorporation of the devices unique serial number can be used in the key
diversification schema. When these values are added into the MAC the response then becomes an output of all of the
values. This makes a strong diversification configuration for the CryptoAuthentication device. When using diversified
keys a source of compromise can be isolated easier and a remedy implemented much more rapidly. The incremental
burn fuses provided by the AT88SA102S can also be used to provide a consumable usage tracking or to limit device
usage cycles.
5. Programming Services
To enable a greater scale of control of secrets when diversified keys are utilized, Atmel offers a secure programming
service. This programming service provides several key components which implement an end to end management and
secret insertion for production devices programmed during manufacturing at Atmel facilities. The service provides for
secure transport of customer secrets directly to the manufacturing facility and delivering their secrets to their devices.
This service enables customers to minimize the risk of secret compromise by limiting exposure of the secrets to key
personnel, maintaining confidentiality, providing accountability for units programmed, and by verifying that the devices
are locked down properly.
Note: For additional security information read the “CryptoAuthentication High Level Security Design which gives a
detailed explanation of the security offered by the CryptoAuthentication family of devices.
CryptoAuthentication™ Product Uses
3
8663B–SMEM–3/09
6. Confidential File Protection
The AT88SA102S provides an affordable solution that secures documents while in transit. Securing confidential files is
accomplished by using a symmetric encryption algorithm for communication as explained in the introduction. The
individual embedded system devices create a random number and feed it into the AT88SA102S as a challenge. They
then used the response from the AT88SA102S to encrypt the confidential file. The file and the random challenge can
then be transmitted over any public medium. To complete the communication the system consuming the file needs to
have knowledge of the keys stored in the AT88SA102S device that was used to encrypt the file. The consuming
system takes the random challenge it received with the file and feeds it through a SHA-256 algorithm along with the
device secret key. The system then uses the response from the SHA-256 algorithm as the key to decrypt the file.
Embedded systems creating confidential files can all have the same keys or can be configured to have unique keys.
Figure 1 shows a configuration where files are produced by embedded systems, the files in transit could be multiple
files from the same embedded system or files from many embedded systems.
Figure 1. Protecting Files
The AT88SA102S also enables media destined for portable devices to be protected and unusable to any other
application that may intercept the file while in transit. This is also done using a symmetric encryption algorithm as
shown in Figure 1. However the system with knowledge of the keys produces the encrypted file and random input and
transmits them to the portable device. The portable device then takes the random challenge it received with the media
and feeds it into AT88SA102S and uses the response as the key to decrypt the media. Figure 2 shows this
configuration. The files in tr stined for the same portable device or files to many portable ansit could be multiple files de
devices.
Figure 2. Encrypting Media

Especificaciones del producto

Marca: Microchip
Categoría: No categorizado
Modelo: ATSHA204A

¿Necesitas ayuda?

Si necesitas ayuda con Microchip ATSHA204A haz una pregunta a continuación y otros usuarios te responderán




No categorizado Microchip Manuales

No categorizado Manuales

Últimos No categorizado Manuales