Fundamentals of SHA-3 Master/Slave Mutual Authentication System
Abstract
Analog Devices' DeepCover® secure authenticators implement advanced physical security to provide the ultimate in cost-effective IP protection, clone prevention, and peripheral authentication. This application note introduces an authenticator (DS28E50) and a coprocessor (DS2477). It explains the general logistics of the SHA-3-based security system, and it illustrates the use of an authenticator and a coprocessor to perform mutual authentication of the master and the slave in a real application.
Introduction
As computer technology advances, customers are asking for an even higher level of security. Analog Devices' answer is the DeepCover® Secure Authenticator DS28E50 with 1-Wire®, SHA-3, and user EEPROM and the DS2477 SHA-3 coprocessor with a 1-Wire master function.
Secure authentication system implementation Diagram
DS28E50 1-Wire SHA-3 Authenticator
The DS28E50 supports a challenge size of 256 bits and uses a 256-bit secret. Each 1-Wire slave has a unique 64-bit ROM ID, which serves as the node address in a 1-Wire network and is a fundamental ingredient for authentication. The function commands for the DS28E50 include general memory read/write access, as well as security functions for slave authentication to the master and master authentication to the slave for write access. The memory is separated into pages of 32 bytes and allows the user to set protections on memory pages. See the DS28E50 Security User Guide for a description of device commands, a memory map, and available memory protections.
DS2477 SHA-3 Coprocessor with a 1-Wire Master
The DS2477 secure I2C coprocessor with built-in 1-Wire master combines FIPS 202-compliant secure hash algorithm (SHA-3) challenge-and-response authentication with Analog Devices' patented ChipDNA™ feature—a physically unclonable technology with the ultimate protection against security attacks.
Security Logistics
SHA-based security relies on hash message authentication codes (HMACs) computed from open data and a secret. To verify authenticity, both sides (i.e., the host or coprocessor and the 1-Wire authenticator) must know the secret, which shall never be exposed. In addition, the secret in each 1-Wire authenticator should be unique. This way, in case the secret of a single authenticator is compromised, the security of the entire system is not affected.
At first glance, it appears impossible to meet these requirements. There is, however, a simple solution: compute the secret from known ingredients at a trusted location. These ingredients are a master secret (32 bytes), the binding data (32 bytes), a partial secret (32 bytes), the authenticator's ROM ID (8 bytes), and padding/formatting ("other data"). Although the ingredients are exposed at one point in time, the computed secret is never exposed and remains hidden.
In-Factory Setup
DS2477 Coprocessor
The coprocessor setup involves only communication between the host processor and the coprocessor. The master secret, binding data, and partial secret should be generated as random numbers. Once the values of these ingredients are defined, these values apply to the entire system. To be recognized as authentic in the system, all coprocessors and authenticators must be set up using the same values. Table 1 shows the host activity and coprocessor commands involved in performing the setup.
| Flow | Host Controller Steps | |||||
| 1. Install master secret A.* | 1. Write Memory: page 4, secret [32 bytes] | |||||
| 2. Put unique random data into master secret B (is not used). | 2. Data = Read RNG: 32 bytes 3. Write Memory: page 5, data [32 bytes] |
|||||
| 3. Set WP+RP protections on master secrets A and B. | 4. Set Page Protection: page 4, WP+RP 5. Set Page Protection: page 5, WP+RP |
|||||
| 4. Install partial secret to page 0.* | 6. Write Memory: page 0, partial secret [32 bytes] | |||||
| 5. Install binding data to page 1.* | 7. Write Memory: page 1, binding data [32 bytes] | |||||
| 6. Set WP+RP protection on pages 0 and 1. | 8. Set Page Protection: page 0, WP+RP 9. Set Page Protection: page 1, WP+RP |
|||||
| *If these values need to be generated, use the read RNG command on the DS2477 or any true random number generator. See the DS2477 Security User Guide for command details | ||||||
DS28E50 1-Wire Authenticator
The setup of the authenticator is similar to that of the coprocessor. Table 2 shows the sequence of steps and authenticator commands involved in performing the setup. After loading the master secret and binding data into the authenticator, the partial secret is provided to the authenticator's Compute and Lock SHA-3 Secret command. The Compute and Lock SHA-3 Secret command finally generates and installs the authenticator's unique secret, thus overwriting the master secret. The DS28E50 can be set up using any 1-Wire master. This app note assumes that the DS2477 1-Wire master will be used to set up the DS28E50.
| Flow | DS2477 | DS28E50 |
| 1. Write master secret (same as master secret A in the DS2477) | Full Command Sequence | Write Memory: page 6, secret [32 bytes] (same secret as DS2477 page 4) |
| 2. Write binding data to page 0 (same as the DS2477) | Full Command Sequence | Write Memory: page 0, binding data [32 bytes] (same as DS2477 page 1) |
| 3. Generate and save unique slave secret | Full Command Sequence | Compute and Lock SHA-3 Secret: page 0 (binding data), protection/secret parameter = 0x80, partial secret [32 bytes] (same as DS2477) |
| 4. Overwrite binding data in page 0 with feature data | Full Command Sequence | Write Memory: page 0, feature data [32 bytes] |
| 5. Set WP protection on page 0 (optional) | Full Command Sequence | Set Page Protection: page 0, WP |
| *See the DS2477 Security User Guide and the DS28E50 Security User Guide for command details. This example uses page 0 for authentication. | ||
Process Flow
Generating the Authenticator's Unique Secret in the Coprocessor (in the Field)
Before the host can verify whether an authenticator belongs to the system, the authenticator's unique secret must be recreated inside the coprocessor (S-Secret). Table 3 shows the I2C commands involved in performing the Coprocessor Compute and Lock SHA-3 Secret. The coprocessor knows already the master secret, binding data, and partial secret. Additional data needed are the authenticator's ROM ID and the manufacturer ID. With multiple authenticators on the 1-Wire bus, the Read ROM command is not applicable. Instead, the search ROM sequence must be used, identifying one 1-Wire device at a time. The term "customization data" refers to the authenticator's ROM ID, manufacturer ID, and the page number (OR'd with 0x80) where the binding data was located in the authenticator.
| [START] |
| Tx: I2C address (Write) |
| Tx: Coprocessor Compute and Lock SHA-3 Secret (0x3C) |
| Tx: Write length byte (13) |
| Tx: Parameter byte 1 page options: 0x89 |
| Tx: Parameter byte 2 secret options: 0x08 |
| Tx: Customization (11 bytes): ROM ID (8 bytes), (page* | 0x80) (1 byte, slave binding data page), MAN ID(0) (1 byte), MAN ID(1) (1 byte) |
| [STOP] |
| [DELAY, tRM+tWM+tCMP+tRM+tRM] |
| [START] |
| Tx: I2C address (Read) |
| Rx: Read length byte (1) |
| Rx: Result byte |
| [STOP] |
| *Page = 0x00 |
Verifying the Authenticity of the Authenticator
Table 4 shows the sequence of steps needed to verify an authenticator's authenticity in a given system using the DS2477 coprocessor.
| Flow | DS2477 | DS28E50 |
| 1. 1-Wire Search to find ROM ID of DS28E50 | 1-Wire Search | N/A |
| 2. Read DS28E50 ROM Options page to get ROM ID and MAN ID | Full Command Sequence | Read Memory (page 7) |
| 3. Send DS2477 Full Authenticate | Full Authenticate (see Table 5) | See DS2477 Security User Guide pages 8 and 9 for detailed steps regarding what the Full Authenticate command is sending to DS28E50 |
| 4. Overwrite binding data in page 0 with feature data | Full Command Sequence | Write Memory: page 0, feature data [32 bytes] |
| 5. Set WP protection on page 0 (optional) | Full Command Sequence | Set Page Protection: page 0, WP |
| *See the DS2477 Security User Guide and the DS28E50 Security User Guide for command details. This example uses page 0 for authentication. | ||
To verify the DS28E50 with a generic host (i.e., to authenticate an authenticator), the host needs to know the data of one of the authenticator's memory pages. Then the authenticator receives a challenge from the host and the authenticator is instructed to compute a page HMAC and to send it to the host for verification. Once the host knows the page HMAC, it computes an HMAC using the same data. If both HMAC results are identical, the S-Secret in the host matches the unique secret in the authenticator, confirming that the authenticator is part of the system. All of these procedures can be handled by a single Full Authenticate command on the DS2477. See Table 5 (or the DS2477 Security User Guide) for the I2C commands needed.
| [START] | ||||||
| Tx: I2C address (Write) | ||||||
| Tx: Full Authenticate (0xE1) | ||||||
| Tx: Write length (16) | ||||||
| Tx: Parameter byte 1 (page options: 0x89) | ||||||
| Tx: Parameter byte 2 (secret options: 0x08) | ||||||
| Tx: Parameter byte 3 (Authentication Page options: 0x00) | ||||||
| Tx: Parameter byte 4 (Read Memory delay: 0x19 (50ms)) | ||||||
| Tx: Parameter byte 5 (Compute and Read Page Authentication delay: 0x1C (56ms)) | ||||||
| Tx: Slave ROM ID (8 bytes) | ||||||
| Tx: Customization (3 bytes): (page* | 0x80) (1 byte, slave binding data page), MAN ID(0) (1 byte), MAN ID(1) (1 byte) | ||||||
| [STOP] | ||||||
| [DELAY, tRM + tCMP + 3 × tOP + tRM + tRM + READ MEMORY DELAY * 2ms + tRNG + CRPA DELAY * 2ms + 1-Wire TIMING (139 bytes, 2 RESETS)] | ||||||
| [START] | ||||||
| Tx: I2C address (Read) | ||||||
| Rx: Read length byte (33 on success, 1 on error) | ||||||
| Rx: Result byte | ||||||
| Rx: (On success) page data (32 bytes) | ||||||
| [STOP] | ||||||
| *Page = 0x00 | ||||||
Faster Verification that the Authenticator Is a Part of the System
While the Full Authenticate command in the DS2477 simplifies the authentication process for the user, it does so by executing each step automatically in series. It is possible to speed up the authentication process by manually executing the authentication steps and have the DS2477 generate the unique slave secret while the DS28E50 is generating the HMAC for Compute and Read Page Authentication, as seen in Table 6 below.
| Flow | DS2477 | DS28E50 |
| 1. Set DS2477 to Overdrive speed | 1-Wire Block | N/A |
| 2. Find DS28E50 slave with 1-Wire Search | 1-Wire Search | N/A |
| 3. Read DS28E50 page 0 | Full Command Sequence | Read Memory (page 0) |
| 4. Generate challenge | Read RNG (32 bytes) | N/A |
| 5. Issue Compute and Read Page Authentication to DS28E50 | 1-Wire Block (see DS28E50 Security User Guide Table 26: Send everything before the delay) | Compute and Read Page Authentication: page = 0x00, authentication type = 0x00, challenge (32 bytes) |
| 6. Generate unique slave secret | Coprocessor Compute and Lock SHA-3 Secret (see Table 3) | N/A (Computing page 0 HMAC during this time) |
| 7. Read HMAC from DS28E50 | 1-Wire Block (see DS28E50 Security User Guide Table 26; read everything after the delay) | Return result from Compute and Read Page Authentication. |
| 8. Compute HMAC | Compute HMAC: parameter byte = 0x02, data = DS28E50 page 0 data (32 bytes) | N/A |
| 9. On host processor, verify DS28E50 HMAC matches HMAC calculated by the DS2477 | - | - |
Writing to the Authenticator with Host Authentication—Authenticated Write
If the 1-Wire authenticator is verified as part of the system, the host can write to the user memory using the Authenticated Write Memory command. Table 7 shows the sequence of steps and commands needed to write one segment. As a precondition, the host needs to know the current memory page data (old page data) before a page can be updated (new page data). Note that the page must have authentication write protection HMAC (APH) or encryption and authenticated write protection HMAC (EPH) set on it. This example will assume the DS28E50 is set up according to Table 2 with the exception that page 0 will have APH protection set in step 5.
| Flow | DS2477 | DS28E50 |
| 1. 1-Wire Search to find ROM ID of DS28E50. | 1-Wire Search | N/A |
| 2. Read DS28E50 ROM Options page to get ROM ID and MAN ID. | Full Command Sequence | Read Memory (page 7) |
| 3. Generate unique slave secret in DS2477. | See Table 3. | N/A |
| 4. Get current data from page 0 from DS28E50 (old page data). | Full Command Sequence | Read Memory (page 0) |
| 5. Compute HMAC to provide Authenticated SHA-3 Write Memory with new page data and other required data (see DS28E50 Security User Guide Table 30). | Compute HMAC: parameter = 0x02, data (75 bytes; see DS28E50 Security User' Guide Table 30) | N/A |
| 6. Issue Authenticated SHA-3 Write Memory command to DS28E50. | Full Command Sequence | Authenticated SHA-3 Write Memory: page parameter = 0x00, secret parameter = 0x00, new page data (32 bytes), HMAC = calculated in step 5 |