Forward secrecy made real easy

---

Taking a closer look at how ATECC508A CryptoAuthentication devices can help in providing robust authentication.  

---

Forward secrecy, which is often referred to as Perfect Forward Secrecy (PFS), is essentially the protection of ciphertext with respect to time and changes in security of your cryptographic session keys and/or primary keying material over time.

A cryptographic session key is used to authenticate messages and encrypt text into ciphertext before it is transmitted. This thwarts a “man in the middle” from understanding the message and/or altering that message. These keys are derived from primary keying material. In the case of Public Key Cryptography, this would be the private key.

Unless you are implementing your own security in the application layer, you probably rely on the TLS/SSL in the transport layer.

The Problem

One can envision a scenario in which ciphertext was recorded by an eavesdropper over time. For a variety of reasons out of your control, your session keys and/or primary keying material are eventually discovered and this eavesdropper could decipher all of those recorded transmissions.

Release of your secret keys could be the result of a deliberate act, as with a bribe, a disgruntled employee, or even someone thinking they are “doing the right thing” by exposing your secrets. Or, it could be the result of an unwitting transgression from protocol. Equipment could be decommissioned and disposed of improperly. The hard drives could be recovered using the infamous dumpster dive attack methodology, thus exposing your secrets.

If you rely solely on transport layer security, your security could be challenged knowingly or unknowingly by third parties controlling the servers you communicate with. Recently leaked NSA documents shows powerful government agencies can (and do) record ciphertext. Depending on how clever or influential your snoopers are, they could manipulate the server system against you.

There are many ways your forward security could be compromised at the server level, including server managers unwittingly compromise it due to bad practices, inadequate cipher suites, leaving session keys on the server too long, the use of resumption mechanisms, among countless others.

Let’s just say there are many, many ways the security of your session keys and/or primary keying material could eventually be compromised. It only takes one of them. Nevertheless, the damage is irreversible and the result is the same: Those recorded ciphertext transmissions are now open to unintended parties.

The Solution

You can wipe out much of your liability by simply changing where encryption takes place. If encryption and forward secrecy are addressed in the application layer, session keys will have no relationship with the server, thereby sidestepping server based liabilities.This, of course, does not imply transport layer security should be discarded.

A public/private key system demonstrates the property of forward secrecy if it creates new key pairs for communication sessions. These key pairs are generated on an as-needed basis and are destroyed after a single use. Their generation must be truly random. In fact, they cannot be the result of a deterministic algorithm. Once a session key is derived from the public/private key pair, that key pair must not be reused.

Atmel’s newly-revealed ATECC508A CryptoAuthentication device meets this set of criteria. It has the ability to generate new key pairs using a high quality truly random number generator. Furthermore, the ATECC508A supports ECDH, a method to spawn a cryptographic session key by knowing the public key of the recipient. When these spawned session keys are purposely short-lived, or ephemeral, the process is known as ECDHE.

Using this method, each communication session has its own unique keying material. Any compromise of this material only compromises that one transmission. The secrecy of all other transmissions remains secure.

The Need for Robust Authentication

Before any of the aforementioned instances can occur, the identity of the correspondents needs to be robustly authenticated. Their identities need to be assured without doubt (non-repudiation), because accepting an unknown public key without robust authentication of origin could authorize an attacker as a valid user. Atmel’s ATECC508A provides this required level of authentication and non-repudiation.

Not only is the ATECC508A a cost-effective asymmetric authentication engine available in a tiny package, it is super easy to design in and ultra-secure. Moreover, it offers protective hardware key storage on-board as well a built-in ECC cryptographic block for ECDSA and ECDH(E), a high quality random number generator, a monotonic counter, and unique serial number.

With security at its core, the Atmel CryptoAuthentication lineup is equipped with active defenses, such as an active shield protecting the entire device, tamper monitors and an active power supply circuit which disallows the ability to “listen” for bits changing. The ECC-based solutions offer an external tamper pin, so unauthorized opening of your product can be detected.

A closer look at Atmel’s ATECC108

Atmel recently expanded its CryptoAuthentication portfolio with the ATECC108 solution, an elliptical curve cryptography (ECC) product. As Atmel Product Marketing Manager Alex Dean notes, there are two basic encryption methods available on the security market today: symmetric and asymmetric key based algorithms.

“In the context of using cryptography for authentication, symmetric key encryption uses an identical key on both a host and its client, while asymmetric key encryption employs two related keys (public and private),” Dean told Bits & Pieces.

“Perhaps most importantly, asymmetric key encryption eliminates the security risk of key sharing, as the private key is never exposed. Essentially, a message that is signed using the private key can only be verified by applying the same algorithm via a matching public key.”

Symmetric key algorithms are significantly faster computationally than asymmetric algorithms, as the encryption process is less complicated. As such, symmetric key solutions like Atmel’s ATSHA204 are quite versatile for a wide variety of use cases, including mobile items (smartphones, tablets), medical devices, industrial automation and smart energy, as well as any application where host-client authentication is needed. In addition to its asymmetric key attributes, the ATECC108 also performs symmetric key algorithm and is backward compatible to ATSHA204.

So when is an asymmetric key solution most appropriate? According to Dean, a complex medical platform (static) can best illustrate the need for an asymmetric key approach – specifically when such a system does not share the same key with an accessory (dynamic).

“When it comes to medical care, doctors and nurses want to ensure an accessory connected to hospital equipment is legitimate and not a cheap knockoff clone which can potentially endanger the lives of patients under their care. We know static systems are stringently reviewed by the FDA – and a hardware modification to implement security often triggers a lengthy re-approval process. However, their accessories and attachments, such as probes or catheters, are typically manufactured for one-time use and therefore subject to a different and sometimes less stringent regulation,” he explained.

“So an asymmetric key solution such as Atmel’s ATECC108 is most appropriate here. It is not necessary to modify any hardware on the static system to implement a public key, which by definition does not have to be protected. Inserting an ATECC108 to the accessory to protect the private key needed for authentication does not necessarily trigger re-certification due to different regulations that regulate the dynamic system – especially when the modification could be considered administrative (such as authentication), rather than medical. In short, an asymmetric key approach enables a medical equipment manufacture to quickly modify a medical system to ensure a host will only function with a genuine OEM accessory or peripheral manufactured by an authorized third party supplier. Remember, software is quite easy to compromise, so you need to protect the private key in the accessory or peripheral with ironclad hardware like the ATECC108.”

Similarly, since the public key on the static system does not require protection, systems already deployed in the field can be easily retrofitted with such a key via a simple administrative software upgrade involving the host system – a strategy that neatly avoids a time consuming FDA re-certification for a static hospital platform.

“Plus, the ECC algorithm (used by ATECC108) is far more efficient than RSA, which requires 3,000 bits to accomplish what the ECC can do with 256 bits. The RSA is slower, because it has to process such a large key size. That is why we see the industry shifting towards an ECC approach,” added Dean.

Lastly, in addition to the traditional UDFN and SOIC packages, the ATECC108 also offers a three-lead contact package that does not require a PCB and can be laminated directly to an item.

Secure personalization service safeguards your IP

Written by Steve Jarmusz

Afraid of having your IP/firmware stolen?  Don’t want unauthorized accessories in the marketplace taking revenue that’s rightfully yours and potentially damaging your brand equity?  Security concerns are serious and worth addressing, but what if you don’t have the expertise in cryptography or infrastructure?

Well, one turnkey solution that does not require security expertise are Atmel ATSHA204 CryptoAuthentication™ ICs.  Atmel provides a personalization service to customers of CryptoAuthentication products. This personalization service (configuring the CryptoAuthentication device for a specific application) is performed at final package test. Before this service can be performed, Atmel solicits secrets from the customer while never knowing the value of those secrets. The secrets are received from the customer encrypted and stay encrypted until they are requested by the test program at final package test. Because of the transport key mechanism innate to the ATSHA204 silicon, these secrets are even encrypted at the probe tips while they are being placed into the secure memory of the ATSHA204.

How does Atmel protect the secrets solicited from customers? We use a SafeNet Hardware Security Module (HSM), which are ranked #1 in worldwide markets. HSMs provide the highest performing, most secure transaction security solutions for enterprise and government organizations. They are used in banking, military, and other government applications where information security is paramount.

SafeNet, Hardware Safety Module

Atmel sends customers that are going to use the Secure Personalization Service the public key of a RSA key pair that was generated and stored on the HSM. Atmel also provides a template that represents the CryptoAuthentications memory contents and an encryption utility. Once the customer fills in this template with their specific data, it is encrypted with an AES key generated by the encryption utility. After AES encryption, the AES key is encrypted with the public RSA key and then deleted.

The encryption utility subsequently packages the AES encrypted template with customer secrets, the encrypted AES key and various other non-encrypted data used for data integrity into a file that is sent to Atmel. This file then is placed on the HSM system at locations performing the final ATSHA204 package tests. When the tester has determined that the ATSHA204 has passed all functional and electrical tests, that file is sent into the HSM for decryption. It is here that the secrets are placed into the ATSHA204 device’s secure memory. Both device and the SafeNet HSM are tamper proof. If a physical attack or tamper is detected, all data contents are destroyed.