Why Now Is a Good Time to Secure Your Embedded Systems with SHA-3

Why Now is a Good Time to Secure Your Embedded Systems with SHA-3

By Scott Jones, Managing Director, and Nathan Sharp, Sr. Business Manager, Embedded Security November 2018 Abstract Published by the National Institute of Standards and Technology (NIST), Secure Hash Algorithms continue to evolve to provide increasingly stronger levels of cryptography-based security. The latest iteration, SHA-3, has a new internal computational structure as compared to previous NIST-specified hash algorithms to address known vulnerabilities of its predecessors. As embedded systems become smarter and more connected, it’s more critical than ever to safeguard them from attack. SHA-3 can help; however, implementing cryptographic hash functions can be challenging without a background in cryptography. This white paper discusses the merits of SHA-3 and highlights how secure authenticators designed with SHA-3 algorithms and physically unclonable function (PUF) technology can provide strong embedded security without requiring cryptography expertise.

www.maximintegrated.com 2 of 8 Introduction Safeguarding Embedded Systems

Earlier this spring, a report was published ensure the integrity operating parameters describing how hackers used a network- of a sensor or tool, enable or disable connected, but unsecured, fish-tank subsystem features, and also to safeguard thermometer in a casino lobby to break these embedded systems from invasive into the network and steal data1. The attacks. Let’s examine both technologies in incident raises yet another spotlight on the next sections of this paper. how vulnerable embedded systems can be Embedded security without proper protection. SHA-3: Robust ICs are evolving Hackers continue to get more Challenge-and-Response sophisticated in their techniques to Authentication to provide more attack ICs that implement security in an embedded system. Microprobing, Cryptographic hash algorithms turn an robust protection focused ion beam (FIB), and reverse- input digital message into a short message engineering are just a few examples digest that can then be used in digital of invasive attack techniques in their signatures and other security applications. arsenal. Because of this, the risk is high A change in the original message—even a that security implemented in software on single bit—results in a significant change a general-purpose microcontroller will in value to the digest; this is called the be broken and circumvented. Encryption, avalanche effect. Because of this, it’s for instance, might be relatively easy and fairly easy to detect either accidental cost-effective to implement in software, or intentional changes made to the but for a nominal fee a hacker will extract original message. Additional properties the firmware to obtain the keys. of cryptographic hash algorithms include: 1) they are one-way functions, so you Hardware-based embedded security ICs cannot obtain the input from the output provide a stronger level of protection—but value; 2) the probability is near zero that even these products must continue to more than one input message will create evolve to stay ahead of cybercriminals. the same digest output (an occurrence An example of this evolution combines that cryptographers call a “collision”)2,3. the SHA-3 cryptographic hash function, a Ultimately, cryptographic researchers latest generation cryptographic algorithm, found vulnerabilities with the first iteration with the protection provided by the of SHA, SHA-1, in terms of finding a technology of a PUF. PUF, together with collision. By that time, NIST had approved the SHA-3 cryptographic hash function, SHA-2 and, while SHA-2 shares a similar provides a powerful combination to mathematical implementation as prevent counterfeiting, securely manage SHA-1, it is still an approved NIST the lifecycle of an end product, store and algorithm providing better protection compared to SHA-1.4

3 of 8 www.maximintegrated.com Released by NIST on August 5, 2015, PUF Technology Protects SHA-3 is based on the KECCAK cryptographic function, which consists Against Invasive Attacks of a structure that utilizes sponge The security advantages of PUF 5 construction . Sponge construction technology stems from the fact that it is represents a class of algorithms that derived from the complex and variable take (absorb) an input bit stream of physical and electrical properties of ICs. any length to produce (squeeze) an Since PUF depends on unpredictable, output bit stream of any desired length. uncontrollable, random physical Sponge functions can be used to model factors that get introduced in the IC or implement cryptographic hashes, manufacturing process, it is virtually message authentication codes, and other impossible to duplicate or clone. PUF cryptographic primitives. The KECCAK technology natively generates a digital function is considered to be strong due fingerprint for its associated IC; this to its intricate, multi-round permutation fingerprint can be used as a unique ƒ, the function that transforms the state key, or secret, to support algorithms 6 memory of the hashing algorithm. for authentication, identification, anti- SHA-3 is the first cryptographic hash counterfeiting, hardware-software binding, algorithm that NIST has adopted using a and encryption/decryption. public competition and vetting process. The way that PUF is implemented NIST selected the KECCAK algorithm as differs from vendor to vendor. Maxim’s the foundation of the SHA-3 standard after approach ensures that the unique binary a competition that assessed candidates value generated by each PUF circuit on: is guaranteed to be repeatable over • Performance level, regardless of temperature and voltage and as the device implementation ages. Called ChipDNA™ technology, Maxim’s PUF circuit relies on the naturally • Ability to withstand known attacks, occurring random analog characteristics while maintaining a large safety of fundamental MOSFET devices to factor produce the cryptographic keys. This • Ability to be subjected to implementation of PUF provides a high cryptanalysis level of security because the unique binary value is generated only when needed by • Code diversity7 the PUF circuit and is not stored anywhere An additional advantage of SHA-3 is on the chip. As such, any attempts to its silicon implementation efficiency. invasively break into the IC to discover This makes it cost-effective compared the secret key are useless. In addition, if to other algorithms and optimal for a device with ChipDNA technology does securing embedded sub-systems, sensors, face an attack, the attack itself can cause consumer electronics, etc8. the electrical characteristics of the PUF circuit to change, further impeding the intrusion.

www.maximintegrated.com 4 of 8 Robust Security Without The DS28E50 DeepCover® secure authenticator also features ChipDNA Cryptography Expertise PUF technology. Equipped with this For someone without a background in combination of security functions, the cryptography (which is not uncommon device can be integrated into an embedded in the world of embedded systems system to prevent counterfeiting, design), implementing hash functions aftermarket cloning, unauthorized usage, and symmetric key-based authentication and invasive attacks. A single-contact comes with a level of complexity. Using 1-Wire® bus simplifies communication an embedded security IC with SHA-3 with the end application. The DS28E50 functions and PUF technology built in can be used with a coprocessor, which alleviates the challenges, providing robust would offload the design’s host processor embedded security without requiring from running the SHA-3 algorithm and cryptography expertise. securely storing the system key. For implementations without the coprocessor, Maxim’s newest secure authenticator Maxim offers software that can be is the first such device on the market integrated into the design to handle these with a SHA3-256 cryptographic engine. functions. The device is available in a 3mm x 3mm TDFN package. See Figure 1 for a functional diagram.

CX PARASITE POWER

CEXT

64-BIT ROM ID

1-WIRE IO INFC BUFFER & CMD SHA3-256 TRNG

2kb E2 ARRAY USER MEMORY SHA3 SECRET DECREMENT COUNTER AUTHENTICATED PIO REGISTERS GPIO ChipDNA

DS28E50

Figure 1. DS28E50 functional diagram

5 of 8 www.maximintegrated.com Where Can Secure The use cases for secure authenticators are wide-ranging; here are a few that Authenticators Be Used? illustrate their value: In addition to anti-counterfeiting, anti- In an electrosurgical application, cloning, and usage control functions, depicted by the diagram in Figure 2, secure authenticators provide many other it’s critical to ensure that the medical applications. For example, they can be device is genuine, has not been used used to secure end-customer feature beyond its defined limits, and has not upgrades, to manage third-party vendors, been used in any unauthorized manner. and for secure boot/software updates. A secure authenticator enables device These devices do so via features such manufacturers to cryptographically as bi-directional authentication, secure prove that the sensor in their device is memory, encrypted system data storage, genuine, to enforce usage control limits, secure use counting, system session key and to ensure that their device is used as Secure generation, secure general-purpose IOs, intended. NIST-compliant random numbers, and authenticators the integration of public or secret key can be integrated algorithms. into an array of applications

SECURE 1-WIRE

1 AUTHENTICATOR µC COMPROCESSOR AUTHENTICATOR 2

5678 9 MAX32650

4 DS28E50 DS28E50

3 DS2477 -

1 1 FECG'%() LEAD 1 2 2

, LEAD LEAD 2 3 3 #

INTERFACE LEAD 3 LEADSECG $% & # "

! ECG LEADWIRE ) $

MAX14937

<=>5 ? CABLE % 4 3 & CONNECTOR - ; / ; :

DIGITAL ISOLATOR DIGITAL ) , ESU + ' 1 # ! ) * DRIVE ) ( & ' . '

HANDPIECE & 0 ' % / $ %

ELECTROSURGICAL #

. ESU CABLE " ! %

ISOLATED POWER ISOLATED - MANAGEMENT IC CONNECTOR SURGICAL DEVICE WITH ECG AND ESU STACKABLE CONNECTOR

Figure 2. Electrosurgical application

www.maximintegrated.com 6 of 8 3D PRINTER 3D PRINTER CARTRIDGE

PLASTIC MOTOR CONTROL NOZZLE FILAMENT

SYSTEM POWER MICROPROCESSOR SECURE DS28E50 COPROCESS0R AUTHENTICATOR DS2477

1-WIRE PRINT BED CONTROL PRINT BED

Figure 3. 3D printer cartridge authentication Bi-directional authentication, Cloning of printer cartridges can be costly As Figure 4 depicts, a secure authenticator to the original manufacturers and, if can be used for secure boot or secure secure memory, quality is compromised, to consumers. As download of a data file, verifying and encrypted depicted in Figure 3, secure authenticators signatures to ensure that the data shared embedded in the 3D printer and its between the host and the remote device system data accompanying cartridges can ensure is valid before triggering the execution (or storage are authenticity and protect the IP from a reset or shutdown should the signature counterfeiting and illegal copying via a fail). just a few key SHA-3 challenge-and-response approach. functions of secure authenticators DEVELOPMENT ENVIRONMENT REMOTE DEVICE

FIRMWARE OR SECURE DATA FILE AUTHENTICATOR SIGNING SYSTEM DS28C36

PUBLIC KEY

FIRMWARE FIRMWARE PRIVATE KEY PRIVATE UPDATE UPDATE

COMPUTE HASH COMPUTE HASH

SIGN HASH VERIFY SIGNATURE

ACCEPT/REJECT SIGNATURE SIGNATURE FIRMWARE UPDATE

Figure 4. Secure boot/download

7 of 8 www.maximintegrated.com Summary Whether in medical consumables, industrial, consumer, or an array of other applications, embedded systems continue to be vulnerable to the prying reach of increasingly sophisticated cybercriminals. Embedded security ICs can protect these products from counterfeiting, cloning, unauthorized usage, invasive attacks, and other security threats. Many of these devices can be integrated without requiring cryptography expertise, allowing you to focus on your core competencies. By preventing security attacks from the ground up, you can build the consumer trust that is critical to any product success.

For More Information Learn more about ChipDNA PUF technology from use cases, a video, a webinar, and white papers.

Sources

1. Hackers Stole a Casino’s High-Roller Database Through a Thermometer in the Lobby Fish Tank 2. How Does a Hashing Algorithm Work? 3. Cryptographic Has Function 4. Why Aren’t We Using SHA-3? 5. The Sponge and Duplex Constructions 6. Sponge Function 7. Keccak: The New SHA-3 Encryption Standard 8. NIST Released SHA-3 Cryptographic Hash Standard

Learn more For more information, visit: www.maximintegrated.com

© 2018 Maxim Integrated Products, Inc. All rights reserved. Maxim Integrated and the Maxim Integrated logo are trademarks of Maxim Integrated Products, Inc., in the United States and other jurisdictions throughout the world. All other company names may be trade names or trademarks of their respective owners. 8 of 8