Scott Best, a technical director at Rambus Security, has written an article for Semiconductor Engineering about the important role a hardware root-of-trust plays in an anti-counterfeiting IC. As Best explains, during manufacture, an anti-counterfeiting security IC is securely programmed with secret data. Subsequently, during operation, it proves to a verifying host that it knows that secret data.
“This prove-you-know-the-secret authentication process between the security IC and a verifying host can be implemented in many ways, from incredibly simple to incredibly secure,” he explained. “For example, the security IC might contain nothing more than non-volatile storage, and the verifying host could simply read the secret data to confirm that the security IC is authentic.”
According to Best, the above-mentioned scenario isn’t secure, as an adversary who wishes to impersonate an authentic chip (e.g., to ship a cloned or counterfeit consumable product, such as a cellphone replacement battery) would simply have to monitor the data exchange between the verifying host and the security IC.
“A more secure proof-of-knowledge protocol involves cryptographic functions and there are as many possible protocols as there are cryptographic functions. [However], one aspect all secure protocols have in common is the concept of ‘challenge response,’” he stated. “That is, a verifying host creates a random challenge and delivers that message to the security IC. The security IC then uses its secret data to operate on the challenge in some cryptographic manner, and then returns a response.”
Put simply, this means an adversary monitoring the communication between the verifying host and the security IC would observe only random challenge values and the cryptographically-secure outputs, which, by definition, also appear random, or uncorrelated to both the challenge and secret-data input values. Nevertheless, despite the strength of the cryptographic primitives used to secure a challenge-response protocol, a determined adversary will be merely delayed, not defeated.
Indeed, certain markets for electronic consumables (e.g., printer ink and toner cartridges) are worth more than $50B USD annually, creating high incentive for skilled adversaries to penetrate security barriers. Moreover, there are dozens of techniques in an attacker’s arsenal, with most of them relying on a simple truth: to prove that it knows the secret data, the security IC must perform a calculation involving that secret key data.
“While cryptographic functions are probably secure at the mathematical level, that perfection is compromised when the math is executed in circuits – semiconductor processors utilize structures that are typically not reflected in the math, including power delivery, data busses, clocking, setup and hold margins, etc,” he explained. “All of these imperfect transformations between math and circuit create ‘side-channels’ [such as Differential Power Analysis, or DPA] that can be exploited by an adversary to determine the secret-key data utilized during a challenge-response calculation.”
As Best points out, the Cryptography group of the Rambus Security Division pioneered the Differential Power Analysis (DPA) technique, along with the most effective countermeasures to prevent information leakage due to that side channel.
“Once a side-channel attack is effective and the adversary has obtained the secret data of an authentic security IC, are counterfeits close behind? The answer is usually yes,” said Best. “While there are as many different challenge-response protocols in market as there are anti-counterfeiting security IC vendors, they almost all rely on standard cryptographic algorithms (e.g., AES, SHA, Elliptic Curve, etc.). So once an adversary has obtained the secret-data, it is relatively straightforward for them to program a low-cost, off-the-shelf MCU to imitate the challenge-response behavior of an authentic chip.”
According to Best, these types of anti-counterfeiting solutions can be broadly categorized as software root-of-trust systems. Meaning, their security depends on algorithms and data, which – though the algorithms execute in hardware and the data is stored in transistor-based non-volatile memory – can be effectively executed and represented in software. In contrast, a more difficult-to-copy solution is known as a hardware root-of-trust. In this approach, part of the cryptographic processing is performed in a circuit that cannot be cost-effectively executed in software running on a low-cost MCU.
“Suppose, for example, that the anti-counterfeiting security IC contained a customized processor that could complete the equivalent of one-billion 128-bit transformations every few milliseconds. Suppose further that this processing engine applied its algorithm to every input challenge,” he wrote. “In this case, even if the adversary learned the chip’s secret-data, they could not program a low-cost off-the-shelf MCU to mimic the transformation circuit necessary to mimic the protocol. Well, they could, but the low-cost MCU would require several hours to complete a single challenge-response calculation. In this way, a hardware root-of-trust can add a ‘proof-of-work’ layer in addition to proof-of-knowledge security.”
Most importantly, Best emphasizes, an adversary can no longer copy a hardware root-of-trust security IC simply by copying the software and data – they must expend the effort to copy the customized hardware itself.
“Semiconductor hardware is much more expensive and time-consuming to copy than the software and data within the semiconductor. This is how anti-MCU, or anti-emulation transformation circuits elevate typical software root-of-trust solutions into more robust hardware root-of-trust anti-counterfeiting solutions and how such solutions can deter and delay an adversary’s introduction of counterfeit products into the market,” he concluded.