This is actually rather clever. The folks at INSIDE Secure, who specialize in semiconductor solutions for secure transactions and digital identity, have introduced a teeny-tiny turnkey security chip.
To be honest, I did not realize just how much was involved in this, but after chatting to the guys and gals at INSIDE Secure I’ve learned a whole bunch of stuff about what it takes to make things more protected in this uncertain world. Take a microprocessor, for example. In the case of an unprotected processor, nefarious scoundrels can observe its power consumption over time, perform something called differential power analysis, and use this to crack any encryption and decryption keys being used.
This is not a good thing to happen, so the chaps and chappesses at INSIDE Secure work on all aspects of security (including creating secure processor cores) to make the world a safer place for the rest of us.
And why is this of interest here? Well, one of the big things to consider is that more-and-more machines are being connected together and are communicating with each other – so you really want your machines to be able to verify the identity of other machines before they give all of your valuable secrets away.
And it’s not just “your eyes only” type secrets we’re talking about. Let’s take something as simple as a print cartridge, for example. When it comes to purchasing a replacement, you may decide to visit a high-priced store, or you may prefer to go somewhere slightly less salubrious like “Honest John’s Printer Emporium” where – amazingly – it seems that they can sell you exactly the same thing for only a fraction of the price. What a great deal! How could you refuse?
The problem is, of course, how can you be certain that the printer cartridge from "Honest John" isn’t a knock-off containing some weird gunk that may well wreak havoc on the delicate mechanisms inside your poor little printer?
All of which brings us to today’s announcement – a teeny-tiny (3mm x 2mm) turnkey security chip/module called VaultIC100 that is designed to enable the manufacturers of high-tech products and consumables to reduce the cost of implementing robust security measures that protect their brands from counterfeiting and cloning.
Let’s return to our printer cartridge example. Suppose that genuine printer cartridges came equipped with an embedded VaultIC100 as illustrated in the following graphic I just threw together (so any errors are my fault):
The idea is that when you plug in a new cartridge, the printer generates a random number and sends it to the VaultIC100 chip embedded in the cartridge. The VaultIC100 encrypts the random number using its Private Key and returns the resulting “certificate” (the encrypted random number) to the printer. The printer then decrypts this certificate using its Public key and checks to see that the resulting random number is the same one that it sent out. If so, the cartridge is genuine and life is sweet; otherwise, the cartridge is fake and alarm bells start to ring, lights start to flash, metal security shields fall to seal the doors and windows … or, at least, whatever measures the printer manufacturers deem to be appropriate are enacted (maybe the printer just prints a message saying “I’m sorry to say that you are using an unauthorized cartridge … please do not do so again!”
Personally I think this is really, really interesting – I can see all sorts of uses for this technology. What about the Smart Grid, for example. There was an article in Scientific American magazine a few months ago saying that the one part of the Smart Grid that has – thus far – received little attention is that of security. Do we really want a Smart Grid that can be taken over by terrorists? Consider Smart Meters, which will soon number in the tens of millions and then hundreds of millions. You shouldn’t think of these as simply being “clever meters” – rather each of these meters is a terminal that provides access into the Smart Grid. I can see the VaultIC100 concept playing real well here.
- As an aside… if you want to know more about the concept of public and private keys, you should check out that great article by Synplicity (now Synopsys) titled How to implement an open IP encryption flow.
- As another aside… a street vendor in Hong Kong (who may or may not have been called “Honest Wang”) once offered me a “Genuine Counterfeit Rolex,” and you don’t get much more honest than that.
- As yet another aside… this reminds me of another story (just wind me up watch me go). I was once purchasing a pair of denim jeans in an “interesting” little store in Singapore. I was much younger then and the thought of a pair of new jeans for just a couple of dollars was jolly exciting. So I found a pair I liked (they were all generic without labels) and took them to the old gentleman who was in charge of the till. While relieving me of my money, he asked what type of jeans I liked, and I replied “Levi 501s.” The old man immediately pulled out a drawer stuffed with designer labels of all types, retrieved a Levi 501 tab, whipped out a small sewing machine, and “customized” my jeans on the spot. I’ve never seen anything like it… it left me speechless (and you don’t hear me say that very often :-)
- And, as yet one more aside (I’m sorry, I’ll stop after this one)… speaking of Singapore, my granddad was a master gunner in the Royal Navy, and he was part of the party that mapped out Singapore harbor. They basically did this by sailing back and forth in a rowing boat using a weighted line. (If I haven’t already bored you enough, you might want to read the story of My Granddad’s Razor Sharp Knife over on my TheWayThingsWere.com website.)
But we digress… where were we and what were we talking about? Oh yes, the VaultIC100 chip/module from INSIDE Secure. Rather than my waffling on any further, let’s simply hand things over to the official release as follows:
“Counterfeiting and cloning is taking a tremendous toll on makers of popular high tech brands, not only in lost revenues, but also in jobs lost and company reputation,”
said Christian Fleutelot, general manager, Vault-IC, secure microcontroller solutions business unit, at INSIDE Secure. “The VaultIC100 chip provides these manufacturers with a turnkey solution offering banking-level security to protect their brands at a price point attractive for high-volume markets.”
Batteries, chargers, printer ink, toner cartridges and other consumer electronics accessories represent the largest segments of the counterfeit products market. With the VaultIC100 turnkey security solution, manufacturers can now protect their brands with a turnkey solution featuring a smaller footprint and less memory – reducing the overall system cost.
The VaultIC100 device features elliptic curve mutual authentication, a highly secure and efficient method of protecting these products. Using the VaultIC100 security module, printers and ink cartridges, for example, can authenticate each other, ensuring that the ink cartridge has been approved for use with the printer, but also that it is the correct one for that model printer. Cell phones and laptops can ensure that only approved batteries of the correct type are employed, providing an extra measure of safety from potential fires or explosions.
INSIDE’s VaultIC100 can protect against cloning of various applications including ink and toner cartridges, computer and gaming console accessories, white goods, batteries and battery chargers, MP3 readers, Bluetooth earphones, smart energy meters and more.
In the simplest case, the host product (a printer or cell phone, for instance) sends a random challenge message to the accessory product (ink cartridge or battery), which contains an embedded VaultIC100, to check if it is an authorized device. The VaultIC100 uses its securely stored private key to compute the elliptic curve digital signature of the challenge message and send it back to the host. Using the corresponding public key, the host performs the necessary signature verification and then based on the result decides whether to authenticate the accessory or not.
For even greater security, the VaultIC100 can be employed as part of a public-key infrastructure (PKI). Although more complex to implement, the PKI approach is a more secure way of distributing keys, and completely eliminates the need to store a copy of the secret key in host device. The public key and its digital certificate either can be embedded in the host or can be stored in the VaultIC100 embedded in the accessory product and retrieved by the host when needed for authentication. The private key is protected in the VaultIC100.
Smaller footprint, less memory
The new VaultIC100 security module is low cost and extremely compact (2 x 3 mm). It includes a secure RISC CPU, hardware random number generator and INSIDE’s µAd-X advanced hardware crypto accelerator, which supports the use of various FIPS-recommended elliptic curves up to 303 bits. Communications are handled through one or two wire (I²C) interfaces, making the VaultIC100 suitable for a variety of high volume embedded applications.
The VaultIC100 also includes a variety of dedicated anti-tampering hardware for protection against simple and differential power analysis (SPA/DPA) attacks, advanced protection against physical attacks (including active shield), environmental protection systems (voltage, frequency and temperature monitors), light protection and secure management/access protection to prevent reverse engineering or cloning. Vault IC100 is Common Criteria EAL4+ ready and able to protect high-value assets.
The included advanced security firmware makes it easy to implement fully user-defined, non-volatile storage of sensitive or secret data; set up identity-based authentication with user, administrator and manufacturer roles; perform authentication, digital signature, encryption/decryption and other advanced cryptographic operations using keys and data from the file system; and provide secure communication channels. INSIDE’s VaultIC Starter Kit provides an easy path to mastering the cryptographic and secure data storage features of the VaultIC security modules.
Availability and pricing
The VaultIC100 is available now for sampling. Please contact INSIDE Secure
for pricing information.