The act of authentication is very straightforward. Essentially, it is making sure that something is real.
There are two parts to authentication:
- Confirmation of identity
Authentication in the “crypto-verse” typically happens on a host and client basis where the host wants to ensure that a client is real. A typical use case occurs when a client device is inserted into a system, while the host asks (“challenges”) the client to confirm its identity. This can occur when an ink cartridge is inserted into a printer, or a water filter is put into a refrigerator. a battery is put into a phone, and numerous other applications. Firmware and software can be authenticated too, but that is a topic for another article.
Think of the challenge as when the castle guard in an old movie asks, :Halt! Who goes there?”. The guard expects a suitable response to prove confirm the identity of the approacher.
Getting back to the real world, authentication is accomplished using a process focused on calculations involving cryptography keys, and that is true for both of the major types of authentication; namely, symmetric and asymmetric. We will focus on the symmetric process here.
With symmetric authentication, the host and client both have the exact same key, which is in fact how symmetric got its name. Note that is critical for both keys to be kept secret to ensure security. Keeping secret keys secret is the main touchstone of authentication and data security of any type. The best way to do that is using a secure hardware key storage device.
The basic idea behind symmetric authentication is that if the client is real then it will have the exact same key as the host. Challenge-response is a prescribed methodology to prove it.
The host controller sends the client a numerical challenge to be used in a calculation to create a response, which is then compared to a similar calculation that is performed on the host.
To describe the process in more detail we can look at a typical symmetric authentication architecture using Atmel ATSHA204A devices on both the host and client and a microcontroller in the host. (Another article will explain how this is done with the crypto device on the client only, which is the fixed challenge methodology).
Step 1: The process kicks off when the host sends a random number to the client which is generated by the host’s ATSHA204’s random number generator. This is the “Challenge” and is illustrated above.
Step 2: The client receives the random number challenge and runs it through a hash algorithm (i.e.SHA256) using the secret key stored there. The result of the hashing function is called the “Response” and it can also be called the “Message Authentication Code” (or MAC). A MAC is technically defined as the result of a hashing function involving a key and message. The response is sent to the host.
Step 3: The host internally uses the same challenge (i.e. the random number) that it sent to the client as an input to its internal hash algorithm. The other input to the internal hash is the secret key stored on the host side. Then the host compares the hash value (MAC) calculated on the host side with the response hash-value (MAC) sent from client. If the two hash values (MACs) match – then the keys are indeed the same and the client is proven to be real.
Note that the secret keys are never sent outside the devices, as they always remain securely stored in protected hardware and invisible from attackers. Stated very simply: “You can’t attack what you can’t see.”
The benefits of a symmetric architecture with secure key storage crypto engine devices on both sides are:
- Symmetric authentication with crypto devices on both sides is quite fast.
- Secure hardware storage on both sides increases security.
- Ensures a very low processing burden on the microcontroller.
For more details on Atmel CryptoAuthentication™ products, please view the links above or the introduction page at CryptoAuthentication.
Other Bits & Pieces articles will detail how Asymmetric Authentication is executed.