Fixed challenge authentication is an easy way to add security to your product without the added expense of additional hardware to the host or client, interactive testing, or extensive software development.
Fixed Challenge Response
Fixed challenge authentication is the only authentication model that does not require a key or calculation on either the host or client. With the fixed challenge model the host sends the same challenge every time authentication is needed and the client always responds with the same response. By ensuring the same challenge and response are used both sides can have a pre-calculated version of the challenge response pair.
The major weakness in this model is that an attacker can monitor the bus and record the challenge/response pair and then use the recording to fool the system into validating a fake device. This is known as a replay attack and is one of the easiest forms of attacks. To counter this, the host can have a list of challenge/response pairs and randomly select from the list requiring the attacker to record multiple transactions on the bus prior to fooling the system.
Another key weakness in the system is that the challenge/response pairs need to be stored in memory, making them easy to extract from the host. One solution to this is to add a hardware authentication device to the host. Adding a hardware device like the Atmel ATSHA204 CryptoAuthentication IC allows the system to increase the level of security without the need to change any client device already in the field.
Atmel’s ATSHA204 CryptoAuthentication™ device allows four different ways to perform symmetric cryptographic authentication on a system:
Fixed Challenge Authentication
Fixed Challenge Authentication is an easy way to add security to a product without the expense of added hardware to the host, interactive testing, or extensive software development. With Fixed Challenge Authentication, the client requires an ATSHA204 device programmed with secret keys. The host is able to use any number of pre-calculated challenge/response pairs to validate the presence of a valid ATSHA204 on the client side.
Random Challenge Authentication
Random Challenge Authentication improves on the Fixed Challenge method by adding a Random Changing Challenge to each request. This feature enables the system to defend against replay-style attacks.
By adding an ATSHA204 device to the host, the system can generate a Random Challenge for the client on the fly. In addition, by generating the challenge internally with the host’s ATSHA204 device, the response is unknown to the system, allowing the use of an unsecured processor without the threat that an attacker will be able to learn system secrets. This dramatically limits the ability of an unauthorized device from producing the correct response.
Unique Challenge Authentication
Unique Challenge Authentication improves on the Fixed Challenge by adding a Unique Challenge to each request. This authentication feature enables the system to defend against replay-style attacks.
By adding an ATSHA204 device to the host, the system can generate a challenge for the client on the fly. This allows a unique challenge to be sent for every validation request.
Diversified Key Authentication
This method includes the unique serial number of each ATSHA204 as part of the Cryptographic Authentication calculation. Diversified Key Authentication enables the host to identify the specific accessory that is trying to authenticate with it. This approach also enables the use of access lists (black lists) by the system.
With so many different options of authentication models, you can select the approach that best fits your design’s requirements, keeping your valuable intellectual property (IP) safe from malicious attacks or cloning. To learn more about designing with the ATSHA204, including some design tips and tricks, check out this white paper.Also stay tuned for further deep dives into each these models in the weeks to come.