Components to a truly secure system

By: James Tomasetta

In today’s increasingly connected world, the need for security is no longer just for communicating over the Internet, but is also needed to ensure that the user’s personal computer is free from malicious code.  In order to secure the user’s local computer, a root of trust  needs to be established, starting from the manufacturer of the hardware and continuing through the firmware and into the installed software.  The key components in securing this root of trust are a fixed or secured boot loader that is inherently trusted by the system and is used to start the authentication sequence, which can be implemented using many existing hardware security chips on the market, such as the ATSHA204 from Atmel.  The second key piece needed is a secure key vault used to store the keys used to sign different pieces of code loaded on the system back to their developers.  Once the code has been verified the boot ROM will start executing code and continue to repeat these steps until the system is fully booted.  Once the root of trust has been established for the system, the user can ensure that none of the code running on the system has been modified. 

 

What is the Difference Between Encryption and Authentication?

By: Gunter Fuchs

Not considering how to actually do encryption or authentication, it is fairly simple for a native Latin speaker (http://www.etymonline.com/index.php?term=authentic, http://www.etymonline.com/index.php?term=crypto) to distinguish between the two. We authenticate something to prove to the receiver of the “something” that it actually came from us. We encrypt a message so nobody, including us, can read it. Why do we authenticate or encrypt? We authenticate so that the receiver is assured that what she received came from us and not from an imposter. This “thing” can be an item – a coin or painting for instance, or a piece of information, an email attachment or a speed command to a uranium centrifuge. We encrypt information so that only the intended receiver(s) can understand it.

So that was simple. But why do computer gurus go through great efforts to provide means of information authentication? Wouldn’t encrypting information be enough? Couldn’t the sender just include its name and address in the information and then encrypt? Well, no. The problem is that although a “man in the middle” will not understand the information, he will still be able to change it. For instance, in computer communication protocols a destination address (port) might be at a fixed position in a message. An adversary could copy such a message when it is on its way through some wire, change this value randomly, and monitor its own port/s until one of these messages – though still garbled – arrives. Once the adversary has received one message, he can now inject the encrypted port value for his own port for every message. One message would not be enough for a hacker to perform decryption,  but many makes this possible.  Not only would an adversary then be able to decipher messages that were not meant for her, but she can now also “break the code”, meaning deduce the encryption key. And with that key in hand, she can now send messages that are not authentic.

Therefore, a secure communication consists of authenticating the message and encrypting it.  To learn more about the importance of protecting your trade secrets, check out this white paper.

Symmetric vs. Asymmetric Encryption: Which Way is Better?

There are two fundamental ways to use keys or secrets for encryption:symmetric and asymmetric.  Symmetric encryption uses the identical key to both encrypt and decrypt the data.  Symmetric key algorithms are much faster computationally than asymmetric algorithms as the encryption process is less complicated.  The length of the key size is critical for the strength of the security.  NIST has recommendations on how long a key should be– in general, 160-512 bits.   There are inherent challenges with symmetric key encryption in that the key must somehow be managed.  Distributing a shared key is a major security risk.

symmetric encryption

Asymmetric encryption uses two related keys (public and private) for data encryption and decryption, and takes away the security risk of key sharing.  The private key is never exposed.  A message that is encrypted by using the public key can only be decrypted by applying the same algorithm and using the matching private key.   Likewise, a message that is encrypted by using the private key can only be decrypted by using the matching public key.

Asymmetric Encryption

Are you building out for secure devices to protect your engineering designs and secure any potential hacking in your product? Receive a FREE Atmel CryptoAuthentication development tool?

This blog was written by Steve Jarmusz, Atmel Applications Manager for Crypto, Memory and Analog Devices. 

What’s the price on health? Wireless Hacking is No Joke.

Hackers have extended their reach beyond just computers and phones.  Some are targeting devices that go into a patient’s body, such as pacemakers, or that help administer drugs, such as insulin pumps.  Researchers have successfully demonstrated how a hacker can wirelessly hack into the system and take control.  As a result, a random level of electrical shock can be sent to the heart patient or the wrong dosage of drugs can be injected.  Although the incentive in such a hack is not obvious, who knows what goes on in the mind of a criminal?  Devices with inadequate security are prone to such attacks, and the financial liabilities to the manufacturers can be crippling.  Fortunately, these kinds of breaches can be easily prevented by implementing a hardware-level security device.

Avnet Certified to Program CryptoAuthentication Chips

Avnet Electronics Marketing has been certified as a programming service provider for the Atmel SHA204 CryptoAuthentication high-security authentication devices. For design engineers, this certification means that you’ll be able to more easily pair any microcontroller on the market with our SHA204 chips. This should help you bring your secure, differentiated products to market more quickly.

Atmel SHA204 chips are the first device in the CryptoAuthentication line to integrate the SHA-256 hash algorithm with a 4.5-Kbit EEPROM that can be used for storage of keys, miscellaneous read/write, read-only or secret data, consumption logging and security configuration.