Atmel recently expanded its CryptoAuthentication portfolio with the ATECC108 solution, an elliptical curve cryptography (ECC) product. As Atmel Product Marketing Manager Alex Dean notes, there are two basic encryption methods available on the security market today: symmetric and asymmetric key based algorithms.
“In the context of using cryptography for authentication, symmetric key encryption uses an identical key on both a host and its client, while asymmetric key encryption employs two related keys (public and private),” Dean told Bits & Pieces.
“Perhaps most importantly, asymmetric key encryption eliminates the security risk of key sharing, as the private key is never exposed. Essentially, a message that is signed using the private key can only be verified by applying the same algorithm via a matching public key.”
Symmetric key algorithms are significantly faster computationally than asymmetric algorithms, as the encryption process is less complicated. As such, symmetric key solutions like Atmel’s ATSHA204 are quite versatile for a wide variety of use cases, including mobile items (smartphones, tablets), medical devices, industrial automation and smart energy, as well as any application where host-client authentication is needed. In addition to its asymmetric key attributes, the ATECC108 also performs symmetric key algorithm and is backward compatible to ATSHA204.
So when is an asymmetric key solution most appropriate? According to Dean, a complex medical platform (static) can best illustrate the need for an asymmetric key approach – specifically when such a system does not share the same key with an accessory (dynamic).
“When it comes to medical care, doctors and nurses want to ensure an accessory connected to hospital equipment is legitimate and not a cheap knockoff clone which can potentially endanger the lives of patients under their care. We know static systems are stringently reviewed by the FDA – and a hardware modification to implement security often triggers a lengthy re-approval process. However, their accessories and attachments, such as probes or catheters, are typically manufactured for one-time use and therefore subject to a different and sometimes less stringent regulation,” he explained.
“So an asymmetric key solution such as Atmel’s ATECC108 is most appropriate here. It is not necessary to modify any hardware on the static system to implement a public key, which by definition does not have to be protected. Inserting an ATECC108 to the accessory to protect the private key needed for authentication does not necessarily trigger re-certification due to different regulations that regulate the dynamic system – especially when the modification could be considered administrative (such as authentication), rather than medical. In short, an asymmetric key approach enables a medical equipment manufacture to quickly modify a medical system to ensure a host will only function with a genuine OEM accessory or peripheral manufactured by an authorized third party supplier. Remember, software is quite easy to compromise, so you need to protect the private key in the accessory or peripheral with ironclad hardware like the ATECC108.”
Similarly, since the public key on the static system does not require protection, systems already deployed in the field can be easily retrofitted with such a key via a simple administrative software upgrade involving the host system – a strategy that neatly avoids a time consuming FDA re-certification for a static hospital platform.
“Plus, the ECC algorithm (used by ATECC108) is far more efficient than RSA, which requires 3,000 bits to accomplish what the ECC can do with 256 bits. The RSA is slower, because it has to process such a large key size. That is why we see the industry shifting towards an ECC approach,” added Dean.
Lastly, in addition to the traditional UDFN and SOIC packages, the ATECC108 also offers a three-lead contact package that does not require a PCB and can be laminated directly to an item.
Pingback: ATECC108 deep dive: Part 1 | Bits & Pieces from the Embedded Design World