Weighing the Benefits of Hardware- vs. Software-only Security

By: Steve Jarmusz

I have seen many software programs touting that they have security built into the code.  I don’t think having the algorithm in software is such a bad thing, but having the keys or roots of trust stored in a non-secure, external Flash device or internal non-volatile memory within the MCU is.    I think it leaves the system vulnerable to attacks.  I have learned that software-based security schemes often use the hardware accelerators that are in a MCU or they implement them in software.  We have seen hack shops in Asia that will extract the keys from a binary file for a nominal fee, so that is not secure.  Even if the engineers bought a microcontroller that has crypto accelerators inside, normally the hardware accelerators inside the MCU are not protected from tampering.    In contrast, hardware-based security schemes use a device that has been created specifically to address a particular security need.  Hardware devices usually have secure key storage so that the key cannot be read from the outside nor changed.  The algorithms used by these devices are developed in hardware in a way that is secure and tamper resistant.  Hardware devices usually have built-in protection mechanisms in case they are being attacked either environmentally or physically.  So in your next design, I highly recommend that you spend a little time to research hardware security.