The “Key” to Reality

If we wanted to reduce the definition of authentication to its most Zen-like simplicity, we could say authentication is “keeping things real.” To keep something real you need to have some sort of confirmation of its identity, as confirmation is the key (so to speak).

The equation could be as follows:

Identification + Confirmation = Authentication

Confirming or validating the identity of a document, item, data, etc. is what keeping things real is all about. Some of the “things” that can be authenticated with cryptographic methods are mobile, medical, and consumer accessories; embedded firmware; industrial network nodes; and sensors, among others. Soon IoT and vehicle-to-vehicle communication will join in.

Authentication is far more important than many people realize, especially in our growing hyper-connected world that now links billions of people (and things). In cyber-land, authentication is accomplished by deploying cryptographic keys and algorithms. Keys are fundamental to keeping things real—so that is what we mean by “the key to reality.”

There are two primary types of Authentication: Symmetric and Asymmetric. Atmel offers secure key storage devices for both types. These two important techniques take their names directly from whether the keys on each side (i.e. the host and client sides) are the same or different.

Symmetric Authentication

If the same secret key is used on the client and on the host, then the application is symmetric, just like the name suggests. Both of the symmetric keys must be protected because if either one gets out then the security will be lost. This is perhaps analogous to having two sets of car keys. Meaning, losing either one makes it easy for a thief to drive away with your car. So, the secret keys must stay secret.

Symmetric Keys are the Same

The identical keys on the host and client are used in mathematical calculations to test the reality of client devices. A very common mathematical calculation that is used is a hash function based upon a cryptographic algorithm (such as SHA). A hash operation produces a hash value (also called “digest”), which is a number of a specified length that is usually smaller than the numbers used as the inputs. A hash is a one-way operation, which means that the inputs cannot be recreated from the hash value.

With symmetric authentication a typical process is to challenge the client device to be authenticated by sending it a random number. The client then puts the random number challenge and a secret key into the hash algorithm to create a hash value, which is known as the “response.” Each challenge will generate a unique response.

It should be noted that cryptographers call a hash of a random number with a secret key a “Message Authentication Code” or “MAC.” The diagram below illustrates this process. Because the host key is the same on the host and client sides, the exact same calculation can run on the host. Once that happens, the hash values (“MACs”) from each can be compared. If the hash values match, the client is considered to be real. You can see that symmetric authentication is really a simple process, but it is loaded with mathematical elegance. Now let’s look at asymmetric authentication.

Hashing a Random Number with a Secret Key

 

Asymmetric Authentication.

Asymmetric keys are presented in public-private pairs. More specifically, the public and private keys are related to each other via a mathematical algorithm. An example would be the Elliptic Curve Cryptography (or “ECC”) algorithm. Only the private key has to be securely stored. Because the keys are different, asymmetric authentication cannot use the same calculate-and-compare process as symmetric.

Asymmetric requires more complicated techniques such as making digital signatures that are verified for authenticity (this is called “Sign-Verify”). An example of asymmetric authentication using ECC algorithms is Elliptic Curve Digital Signature Algorithm (or “ECDSA”).  A major benefit of the Atmel ATECC108A device is that it can be used to easily implement ECDSA sign-verify. (The steps of ECDSA are very interesting, but they will be covered in a separate article). Note that an important trade-off between symmetric and asymmetric authentication is the speed of operation. For example, authentication time for the Atmel ATSHA204A is 12ms (typical) for symmetric versus more than a second for many microcontrollers to execute an asymmetric ECDSA operation.

Getting back to the keys:   The secret keys must stay secret. If keys are the keys to authentication (i.e. reality),  then secure storage of the secret keys is the key to SECURE authentication. And that is the real point here.

So the, how is secure storage implemented? The best way is to use hardware key storage devices that can withstand attacks that try to read the key(s). Atmel CryptoAuthentication products such as the ATSHA204A, ATECC108A  and ATAES132 implement hardware-based storage, which is much stronger than software based storage because of the defense mechanisms that only hardware can provide against attacks. Secure storage in hardware beats storage in software every time. Adding secure key storage is an inexpensive, easy, and ultra-secure way to protect firmware, software and hardware products from cloning, counterfeiting, hacking, as well as other malicious threats.

For more details on Atmel CryptoAuthentication products, please view the links above  or the introduction page CryptoAuthentication. Future Bits & Pieces articles will take in an in-depth look at how symmetric and asymmetric authentication is accomplished.         

Hardware key storage stops the bleeding

The Heartbleed security bug is a really big deal, especially given today’s hyper-connected, information obsessed society. This nasty bug, which has been characterized as “catastrophic” by industry gurus, permits anyone on the Internet to access the memory of systems using various versions of OpenSSL software. This is ironic since that very software was specifically designed to protect data.

Nevertheless, Heartbleed exposes secret keys used for authentication and encryption, which are the two primary foundations of how security is generally ensured. By exposing keys Heartbleed thus exposes actual data, user names, and user passwords to anyone. This is virtually everything. Ouch!   Attackers (i.e. hackers, cybercriminals, spies, state-sponsored electronic armies, and others with malevolent intent) can observe and steal data without a trace, which is virtually the literal industry definition of the term “man-in-the-middle” attack.

The threat that Heartbleed represents has rightly gained widespread attention. Fortunately, such attention has stimulated a major market reaction and lead to whole scale changing of user passwords, proliferation of patches, and other fixes. It has also brought the need for more extensive code testing into the open. Heartbleed and other major security revelations are making people look at security much more seriously, which also extends to embedded systems.

Frankly, it is about time. Embedded system insecurity gained major notoriety recently with the revelation that commercial WiFi routers have old and buggy firmware that can be used as a back door into home and commercial networks. Such loopholes were in fact used by a criminal organization in Eastern Europe to steal cash. The risk was amplified by the revelation that mischievous “agencies” tasked with collecting and processing information without permission can exploit the vulnerabilities at will.

Embedded system firmware insecurity affects individuals, institutions, governments, and corporations—which is pretty much everyone. Highly respected market researchers have noted that bad behavior and bad actors are running rampant. For example, the number of active threat groups being tracked has risen to over 300, which is more than 400% higher than in 2011. Nation-states have become hyper-active in cyber-espionage and hacking. This is because it is now possible to literally upload damage to a target, which is kind of a science fiction scenario come true.

In the same vein, secret information is easily downloaded, especially with security vulnerabilities from Heartbleed, router back-doors, and others. More than 95% of networks have become compromised in some way, and directed attacks will only get worse as mobile platforms continue to expand worldwide. An unnerving figure is that vulnerable systems placed on the Internet are being compromised now in less than 15 minutes. That is not really a surprise given the wildly disproportionate cost / ”benefit” of cyber meddling, which is devilishly tempting to malicious operators.

The security situation is extremely complicated for embedded systems because embedded firmware is highly fragmented, difficult to update, hard to track, often obsolete, hard to access, and employs a wide range of processors and code languages. The router loopholes mentioned above are in fact a direct expression of the vulnerabilities endemic to embedded systems and the severe damage those vulnerabilities can cause downstream. It is now clear that embedded system vulnerabilities affect everyone. So, the question becomes, “What can be done to increase security in embedded systems?”

As Heartbleed and cyber attacks have illustrated, encryption and authentication keys must be protected. There is no other option. Cryptography may be mathematically and systematically ultra-detailed and uber-complicated, but the most important and fundamental security concept is beyond simple: namely, “Keep the secret keys secret.”  The best way to do that is to lock the secret keys in protected hardware devices.

Hardware key storage beats software key storage every time, which is one of the “key” lessons of the recent vulnerability revelations. But how does an embedded system manufacturer ensure their products are secure and protected from attack? Fortunately, the solution is simple, available, and cost effective, and that is to use hardware key storage devices such as Atmel’s ATSHA204A, ATECC108A  and ATAES132.

These products are all designed to secure authentication by providing a hardware-based storage location with an impressive range of proven physical defense mechanisms, as well as secure cryptographic algorithms and processes. Go to the links above for more details or the introduction page CryptoAuthentication.

Future Bits & Pieces posts will describe the different types of authentication and the various steps that the devices and associated processors implement.

What is authentication and why should you care?

Authentication means making sure that something is real, just like it sounds.

In the real world, authentication has many uses. One of the most recognizable is anti-counterfeiting, which means validating the authenticity of a removable, replaceable, or consumable client. Examples include system accessories, electronic daughter cards and spare parts. Of course, authentication is also employed to validate software and firmware modules, along with memory storage elements.

Another important and growing role for authentication is protecting firmware or media by validating that code stored in flash memory at boot time is the real item – effectively helping to prevent the loading of unauthorized modifications. Authentication also encrypts downloaded program files that can only be loaded by an intended user, or uniquely encrypt code images that are accessible on a single, specific system. Simply put, authentication of firmware and software effectively makes control of code usage a reality, which is important for IP protection, brand equity maintenance and revenue enhancement.

Storing secure data, especially keys, for use by crypto accelerators in unsecured microprocessors is a fundamental method of providing real security in a system. Checking user passwords via authentication means validation – without allowing the expected value to become known, as the process maps memorable passwords to a random number and securely exchanges password values with remote systems. Authentication facilitates the easy and secure execution of these actions.

Examples of real-world benefits are quite numerous and include preserving revenue streams from consumables, protecting intellectual property (IP), keeping data secure and restricting unauthorized access.

But how does a manufacturer ensure that the authorization process is secure and protected from attack? With hardware key storage devices such as Atmel’s ATSHA204A, ATECC108A and ATAES132 – which are all designed to secure authentication by providing a hardware-based storage location with a range of proven physical defense mechanisms, as well as secure cryptographic algorithms and processes.

The bottom line? Hardware key storage beats software key storage every time – because the key to security is literally the cryptographic key. Locking these keys in protected hardware means no one can get to them. Put another way, a system is not secure if the key is not secure – and the best way to secure a key is in hardware. It is that simple.

Future Bits & Pieces posts will explore various methods of authentication such as asymmetric and symmetric, the ways in which Atmel’s key storage devices operate, specific authentication use models and other security related topics.

Video: Designing a mesh networked conference badge

Andrew Nohawk recently attended ZaCon V, a free South African security conference. In honor of the event, Nohawk decided to design an interactive mesh networked conference badge.

As HackADay’s Mathieu Stephan reports, the slick platform is powered by Atmel’s stalwart ATmega328 microcontroller (MCU). Additional features include a Nokia 5110 LCD, a 433MHz AM/OOK TX/RX module, a few LEDs and an assortment of buttons.

“The badges form a mesh network to send messages. This allows conversations between different attendees to be tracked,” Stephan explained.

“Final cost was the main constraint during this adventure, which is why these particular components were chosen and bought from eBay & Alibaba.”

According to Stephan, the first PCP prototypes were CNC milled and required quite a bit of soldering to finish off the 77 final boards. Meanwhile, the protocol itself was verified using Maltego.

“Of the 77 badges soldered together (at various stages of ‘full working order’ – especially the BYOB people) the front computer captured 9810 transmissions, 49 badges and 201 different relationships,” Nohwak confirmed in a blog post detailing the project.

Interested in learning more? You can access the relevant code, raw sqlite database and Maltego graphs from GitHub here or visit the project’s official blog post here.

Atmel’s Tech on Tour heads to Napa

After a successful Tech on Tour (ToT) stop in San Francisco’s SoMa neighborhood, the Atmel Mobile Training Center is heading to California’s sunny Napa Valley.

We’ll be at the Meritage Resort & Spa on 875 Bordeaux Way on March 23-24, 

showcasing a wide variety of tech across a number of spaces including touch, security, microcontrollers (MCUs), wireless, lighting and automotive.

More specifically, you can check out:

• Agent smartwatch (Secret Labs) powered by Atmel’s ARM-based SAM4S and tinyAVR MCU
• Philips Hue Bulbs with Atmel‘s ZigBee and Lightweight Mesh Stack
• Turtle Beach i60 Wireless Gaming Headset with Atmel Wi-Fi
• Direct
Roku3 remote with Atmel’s Wi-Fi Direct 
• Venstar Color Touch Thermostat with Atmel’s ARM9-based MCU
• Makerbot 3D printer with Atmel AVR microcontrollers
• ASUS T100 Transformer with Atmel’s MaxTouch T Series Cap Touch controller and XSense Metal mesh touch sensors

In addition, Sander Arts, VP of Corporate Marketing at Atmel, will be hosting a session on easy-to-use, fully integrated solutions for University students at 12:30 pm on March 23 in the Carneros Ballroom.

“In this short session, students will see how Atmel provides a broad portfolio of hardware and software solutions that are easy-to-use and cost-effective for the classroom environment. Our boards and software development kits provide students hands-on training with some of the latest electronics for developing fun applications using Ardunio-based boards to Atmel’s own development solutions,” Arts told Bits & Pieces.

“They will also hear about Atmel’s revamped University Program and how we are using our latest social media channels, mobile trailer, challenges and competitions to engage with University students.”

Interested? You can register for the event here.

Atmel’s Tech on Tour heads to SF

After successfully wrapping up SXSW 2014 in Austin, Atmel’s Tech on Tour (ToT) trailer is back on the road to the Bay Area – with a long-awaited San Francisco SoMa stop scheduled for March 18, 2014.

We’ll be at China Basin, Lot C @ 185 Berry Street (between 3rd and 4th) from 10AM-6PM, showcasing a wide variety of tech across a number of spaces including touch, security, microcontrollers (MCUs), wireless, lighting and automotive.

More specifically, you can check out:

• Agent smartwatch (Secret Labs) powered by Atmel’s ARM-based SAM4S and tinyAVR MCU
• Philips Hue Bulbs with Atmel‘s ZigBee and Lightweight Mesh Stack
• Turtle Beach i60 Wireless Gaming Headset with Atmel Wi-Fi
• Direct
Roku3 remote with Atmel’s Wi-Fi Direct  
• Venstar Color Touch Thermostat with Atmel’s ARM9-based MCU
  
• MakerBot 3D Printer with Atmel AVR microcontrollers
• ASUS T100 Transformer with Atmel’s MaxTouch T Series Cap Touch controller and XSense Metal mesh touch sensors

Atmel’s ToT will also be hosting an industry panel on the rapidly evolving Internet of Things (IoT) at 4:00PM.

Join industry experts from Atmel, ARM, Humavox and August for an interactive discussion on how the IoT, the hottest topic in the technology sphere, is impacting today’s market across multiple segments.

Interested? You can register for the event here. See you in SoMa!!!

Atmel is ready to rock @ SXSW!

Atmel’s Tech on Tour trailer is on the road again and heading to Austin, Texas for SXSW. We’ll be at the Hyatt Regency Austin from March 7-9, 2014, so be sure to stop by during the show to see our latest demos.

We’ll be showcasing a wide variety of tech across a number of spaces, including touch, security, microcontrollers (MCUs), wireless, lighting and automotive.

More specifically, you can check out:

• Agent smartwatch (Secret Labs) powered by Atmel’s ARM-based SAM4S and tinyAVR MCU
• Philips Hue Bulbs with Atmel‘s ZigBee and Lightweight Mesh Stack
• Turtle Beach i60 Wireless Gaming Headset with Atmel Wi-Fi
• Direct
Roku3 remote with Atmel Wi-Fi Direct
• MakerBot 3D Printer with Atmel AVR Microcontrollers
• ASUS T100 Transformer with Atmel’s MaxTouch T Series Cap Touch controller and XSense Metal mesh touch sensors

In addition, we’re proud to host a guest appearance by Autodesk, the very same folks behind the world famous Instructables and 123D Circuits.

With 123D Circuits, you can breadboard and simulate your AVR-powered Arduino-based circuits, while writing, compiling and running code right in your browser. When you’re done, you can have the circuit board professionally made and shipped right to your doorstep.

Interested in learning more about Atmel’s tech on tour? You can check out our official ToT page here.

Reza Kazerounian talks IoT and Makers (Part 1)

Reza Kazerounian, Senior VP and GM of the Microcontroller Business Unit at Atmel, recently sat down with the folks at EEWeb to discuss a wide range of topics including the Maker Movement, the rapidly evolving Internet of Things (IoT) and the future of Atmel’s MCU business.

As Kazerounian notes, the IoT is a combination of multiple market segments, tens of thousands of OEMs and hundreds of thousands of products.

“It is seen by many as the next wave of dramatic market growth for semiconductors. If you look at the different estimates made by market analysts, the IoT market will be worth trillions of dollars to a variety of industries from the consumer to financial, industrial, white goods and other market segments,” he explained.

“Companies that provide cloud-based services, service providers and semiconductor companies will also benefit from this market. The number of small or new companies that are showcasing connective devices has increased – there will be 50 billion connected devices by 2020. These nodes will have characteristics such as low-power embedded processing, a human-machine interface and connectivity.”

That is precisely why Atmel has consolidated the most complete portfolio of IoT technologies: ultra-low power microcontrollers, wireless connectivity, touch controllers, touch materials (XSense), sensor management and security.

“These key IoT ingredients combined with Atmel’s development environment, culture and global support infrastructure will enable us to offer the broadest and most comprehensive IoT solutions in the industry,” he said.

“Atmel is a leading supplier in embedded processing. We compete in the low-power technology market segment because many of the near-home devices have been around for many years and have the ability to be connected wirelessly. These devices include gateways such as routers, access points and more.”

Kazerounian also discussed Atmel’s relationship with the burgeoning DIY Maker Movement which espouses an open hardware philosophy.

“More designers are initially starting with [Atmel-based] Arduino boards for their prototypes, and these designers will eventually become our customers. The Maker community is continuing to grow and is influencing how designers jump-start their first design to accelerate their prototype development,” Kazerounian continued.

“This trend will potentially increase ROI. Atmel is seeing an increase in professional engineers relying on [Atmel-based] Arduino boards to create initial models for their prototypes. The net impact of the Maker movement is the accelerated development of products which contribute to the overall IoT market growth and will ultimately benefit Atmel.”



Note: This is part one of a two-part series. The second installment can be read here.

Light Cryptalk is an Arduino-powered Enigma

An Enigma machine refers to a family of related electro-mechanical rotor cipher machines used in the twentieth century for enciphering and deciphering secret messages. The original Enigma was invented by the German engineer Arthur Scherbius at the end of World War I. According to Wikipedia, early models were used commercially from the early 1920s, although they were later adopted by a number of militaries and governments around the world.

Recently, a young Maker by the name of Michele Lizzit built his own version of the classic cipher machine using an Atmel-powered (SAM3X8E ARM Cortex-M3) Arduino Due.

“The idea of the Maker Faire project came to me when Google dedicated a doodle to Alan Turing. Reading on Wikipedia his story I’ve learned about the Enigma machine. This project was initially realized to be presented as final project of Middle School (junior high – seventh grade). In the first version I used Xbee to transmit and cryptography was just a table substitution,” Lizzit told Zoe Romano of the official Arduino blog.

“I use Linux for everything I do with my computer and I am very grateful to the open source community and to Arduino for making available online for free a huge amount of documentation. I believe that it is important to share your ideas freely and for free so that others like me can learn and so that the opportunities to know, learn and make do not remain available only to those who can spend more.”

Unsurprisingly, Light Cryptalk isn’t the only modern interpretation of the classic Enigma machine to use an Atmel-based Arduino board. Back in October, the folks at ST-Geotronics created a functioning open-source Enigma (M4) replica powered by an Atmel-based Arduino Mega (ATmega1280).

The future of embedded automotive technology

Rob Valiton, senior VP and general manager, Automotive, Aerospace and Memory Business Units, Atmel Corporation, recently participated in an EE Catalog panel discussion about the future of embedded automotive technology.

According to Valiton, there is a wide variety of of technology that will continue to find its way into in-vehicle infotainment (IVI) systems – with capacitive touchscreens projected to be one of the fastest-growing spaces.

“The current dominant touchscreen technology in automotive is resistive. However, resistive technology does not allow consumers to interact with their car the way they interact with their smartphone, tablet and Ultrabook. The superior user interface, including common gesture recognition utilizing pinch/zoom and swiping motions is enabled by the adoption of capacitive technology,” he explained.

“Some newer features such as hover and proximity may also have the potential to create a less-distracted user environment than what exists today. Hover and proximity can be used in combination to ensure that the drivers’ eyes stay on the road for as long as possible and changing basic setting does not require several menu changes.”

In addition, Valiton noted that there are a number of standards which should be (further) unified to accelerate the IVI experience between on-board systems and connectable consumer products, with standards ranging from security and software considerations, to technology such as Bluetooth and Wi-Fi.

“Standards identified by technology standards bodies, such as the Bluetooth SIG or Wi-Fi Alliance, are required in order to unify the IVI experience on-board, specifically in relation to consumer products. These are required to ensure a smooth and seamless connection, as well as a positive experience for the end user,” he said.

“Firmware specifications are identified within a car to ensure connectivity is established flawlessly. [Plus], continued development of standards such as those being developed by the Connected Car Consortium will ensure that drivers can continue to control their devices using existing in-vehicle equipment. Of course, software considerations are also important. Since the infotainment lifecycle of an automobile is typically much longer than in the home, future cars must consider software standards along with the ability to upgrade.”

Valiton also pointed out that there are a number of technologies required to connect a car to the roadway and municipal infrastructure, along with vehicle-to-vehicle communications.

“[Such technology] requires a microcontroller (MCU), numerous sensors, a connectivity solution which can range from Wi-Fi such as 802.11p, GPS and 3G or 4G networks and security. The combination allows cars to connect to roadway and municipal infrastructures such as Fastrak, toll payment or Onstar security systems—all of which are connected to terrestrial and/or wireless connectivity,” he said.

“Clearly, security in automobiles is very important. Remember, we are all used to having virus protection readily available on our PCs, but are unlikely to think that much about how secure our software is in the modern automobile. Until now, the software has been part of a closed system and not subject to hacking. With the new V2V and V2X systems, we will need technology to ensure secure firmware updates and prevent hackers from communicating with unsuspecting drivers and their vehicles.”

Last, but certainly not least, Valiton commented on the future of self-driving cars, citing a recent ORC International survey that claimed only 18 percent of consumers would consider buying a self-driving car.

“Despite this survey, we believe consumers do not have a full understanding of self-driving cars. There are a number of technologies today that are baby steps towards a self-driving car (think automatic braking),” he explained. “One example is the safe park, where the vehicle parks itself. Another example is autopilot, a system used to guide a vehicle without assistance from a person, developed in 1912. Autopilots are used in aircraft, boats (known as self-steering gear), spacecraft, missiles and other vehicles.”

Similarly, an aircraft autopilot still requires human intervention—a pilot and a co-pilot—to ensure that if anything is amiss, they can be sure to steer the plane to safety.

“With self-driving cars, drivers will have the option to set the car in drive and not worry about a long trip or traffic. Similar to cruise control, the self-driving car can be turned off or if there is an emergency, the driver can still have full control of the car,” he added.

The car-to-x system warns of road works, congestion, obstacles and dangerous weather (courtesy Daimler).

“However, with strict automotive standards currently in place, to make this idea a reality, hardware and software must work closely together to achieve a safe and reliable self-driving car and one that is not hackable. Embedded technologies such as microcontrollers, sensors and touch solutions, encryption and even technologies such as 3D scanning are already in place to enable an autonomous vehicle. We are ready for self-driving cars; the real question is whether both manufacturers and drivers are ready to embrace it.”

Interested in learning more about Atmel’s comprehensive automotive lineup? You can check out our full automotive portfolio here.