Security Made Solid with Non-Volatile NOVeA

Synopsis: Security, a buzzword and concept once perceived as a magical panacea, is now a term that is familiar to many logic designers. Some have even developed expertise in this area. The increased interest in security stems from two main factors: First, the need to reduce threats and damage resulting from security breaches and second the opportunity to deploy new revenue-generating applications. USB flash drives have exhibited remarkable growth, while enhancing the level of security. According to leading analysts, high-end phones will increase market share from 5% in 2004 to over 20% in 2008, showing over 50% annual growth, while integrating hardware-based security into the baseband or application processors. Changes in the application landscape are the driving force behind the advances in the upcoming generation of handset processors and micro-controllers used for storage devices and dongles. Mobile handsets have evolved into fully developed computing devices, which bring together functionality that had previously been associated with media players, personal digital assistants, credit cards, flash drives and even laptops. As a result, the requirements of flash controllers are changing to meet the demands of these new applications. These include storage protection, digital content protection and authentication tokens. Many of these secure applications involve sensitive information that changes over time, including PIN fail counter, e-cash balance and digital rights play-credit counter. To ensure that such stateful information is not illegally altered, it is often complemented by integrity checksums. However, one simple attack can easily bypass such protection, enabling undetected tampering. By reprogramming the flash with a previously stored image, i.e. reflashing the flash memory, the attacker can restore any desired value that has since been altered. In this manner, a $100 e-cash balance can be consumed, but then reused endlessly without actually having to reload the balance. Similarly, a PIN attempts counter can be restored to circumvent PIN protection, and a play-counter of a digital rights management system protecting a popular Britney Spears song (with a countdown counter) can restore a previous counter value. To counteract this rather simple attack, anti-reflash protection must be applied. This involves storing a special value that reflects the current state in on-chip storage designed to withstand reflash attacks. This value needs to be updated after any corresponding change to one of the values it protects, such as after any change in e-cash balance. Patent pending Discretix technology enables reflash-resistant protection of arbitrarily large storage by saving a relatively small, but cryptographically sufficient integrity checksum. This is where the joint solution from Virage Logic and Discretix comes into play. Using the technology developed by Discretix, Virages NOVeA is effectively used to implement a secure storage mechanism which provides complete security services. 256

bits of NOVeA memory suffice for achieving confidentiality, data integrity and antireflash protection of arbitrarily large memory. NOVeA is integrated in the controller or processor chip and is not part of the flash memory susceptible to reflash attacks. Discretix security solutions, comprised of hardware cryptographic engines, security middleware and device applications, rely on NOVeA for an optimal level of hardware-based security. Discretix has already successfully deployed security solutions based on NOVeA. They have been proven to effectively address security needs and be easily integrated into storage devices and handset chipsets.

Embedded Security Market Grows Recent trends in the world of embedded devices require the enhancement of security attributes and features. Both mass storage devices and high-end handset chipsets are experiencing an exceptional compound average growth rate (CAGR) of over 40%, while enhancing the security infrastructure to address new security requirements. Hundreds of millions of flash storage devices are already shipping annually. Application processors are expected to grow at a phenomenal rate (CAGR) of almost 50% in the coming years, reaching almost $3 billion in 2008. One of the key drivers for this trend is the constant evolution of handsets supporting more and more features, larger memory storage and, ultimately, converged functionality that integrates functions of which until now have been on separate devices: Multimedia players for playing premium songs and video clips, credit cards and e-wallets to avoid fumbling for the card or coins, flash storage embedded on board or inserted into the device expansion slot, and even full laptop applications that may contain presentations, pricing information and more. Security-Aware Applications Prevail As todays smartphones are tomorrows feature phones, the converged device applications are becoming a reality. Smartphones, enhanced phones and PDAs can run numerous, security-conscious applications. Figure 1 shows some emerging applications such as personal secure storage, corporate secure storage, Digital Rights Management (DRM) for content and software, user authentication, SIM-lock protection, secure firmware updates, M-commerce and M-banking.

Figure 1: Flash Storage Application Landscape

Digital Rights Management (DRM) DRM addresses content protection, to ensure that content consumption (playback) can only be performed according to predefined policy, generally defined in a usage rights or in a rules object. Two of the most common DRM schemes for mobile devices are the Open Mobile Alliance (OMA) DRM V2.0 and the Microsoft Windows Media DRM. While these current schemes are handset-centric, another scheme - Content Protection for Removable Media (CPRM) defined by the 4C Entity, is starting to gain momentum for systems with a Secure Digital (SD) card. It is likely that other storage-card-centric DRM schemes will be supported as well in the coming months. In such schemes, the content is bound to the card, and the card owner has full flexibility to play the content on other devices (e.g. an audio system that is not connected to any network). Some companies are engaged in developing an OMA DRM V2.0-like application that endows the storage card with some of its policy-handling capabilities. All of these applications need device credentials to be stored securely so that even the rightful device owner cannot gain access to these secret keys. This is a requirement as a dishonest user may have incentive to hack the protected digital content and potentially publish it on the Internet. Mobile Payment Applications Several mobile payment schemes have come into common use. In Japan, NTT DoCoMo sold over 3 million handsets equipped with Sonys Felica contactless (proximity) IC chip card. Felica users simply have to wave their handset across a dedicated reader to pay for goods and services. The handset acts as a mobile wallet. MasterCard has conducted phone-based trials for its PayPass contactless payment technology and is expected to expand these trials next year. In Korea the MONETA contactless mobile payments system works in a similar fashion. In Europe, a large-scale initiative, SimPay, reduced their inter-operator pan-European initiative to a smaller, local-operator scale. It is likely that the reason for this was that this scheme was too large and expensive in scale. Other, smaller-scale schemes will benefit from the fall of SimPay, as it is likely to take several years for pan-European schemes to be resurrected. Figure 2 shows a typical mobile-payments system. While in some schemes a single mobile operator is responsible for all financial settlements, in other, more complex, schemes, several operators may interoperate and use a clearing house to settle interoperator transactions. Apparently, proximity contactless-based schemes such as those mentioned above currently succeed more than over the air payments alternative schemes. From a security standpoint, regardless of the exact scheme, robust secure storage is required to respond to two main threats: device loss and fraud attempts, including attempts by the user to restore a depleted e-cash balance.

Figure 2: Encrypted Storage Applications When sensitive information is stored on media such as USB Flash Drives (UFDs) or mobile handsets, encrypted disks come into play. Personal secure storage enables a single user to store any information on the target storage device securely. Such information may include personal credentials, passwords, financial or healthcare-related information. Enterprises can also rely on this application to enable their employees to carry sensitive information that is protected in case the UFD or mobile device is unattended or lost. Corporate secure storage is another such example. In such applications, multiple users can use the same physical storage device (i.e. the storage device is operated at different times by different users, including a remote administrator). A secure storage system must ensure that users obtain their predefined access privileges to their corresponding information. This application not only protects information in case of loss, but also protects information held by a particular user and owned by a different user. Requirements from Secure Storage What are the requirements from robust secure storage? It is well understood that any sensitive credential or key must be stored encrypted in secure storage, otherwise it will be prone to hacking or tampering. Surprisingly, only limited attention is paid to integrity protection in general and to anti-reflash protection in particular, to ensure data has not been tampered with or restored from a previous image. Hardware-based secure storage is needed since flash storage is susceptible to physical examination. The content can easily be scanned using standard lab tools (e.g. flash programmers). Consequently, any application involving sensitive information must

encrypt such information before it is stored. The user may also arbitrarily modify the stored data without prior knowledge of the result. The user may change the encrypted data suspected of encoding an e-cash balance for example, later examining if the balance has increased or decreased. In case it has gone down, the attacker tries again until a higher balance is achieved. Adequate integrity protection foils such attacks, since arbitrary changes of encrypted data are unlikely to hit the corresponding integrity checksums. However, in a similar fashion, scanned flash images can be reflashed, i.e. restored in whole or in part. Other applications also require protection against similar threats: Corporate secure storage applications support password management that involves failed attempt counters. If not protected, these counters may even be reflashed by an attacker (or even a legal user) to gain unlimited password fail attempts. DRM applications often involve keeping track of a playback counter which counts down every time content is played. Malicious users can attempt to bypass the DRM policy by keeping a memory image which includes a given value in the playback counter, consume the playback and then restore the previous playback credit. Hardware-based secure storage that includes integrity and reflash protection is therefore essential for any application that involves security-related stateful information. Firmware Upgrades With the advent of new features and new applications, the masked ROM of the device no longer suffices; larger parts of the code as well as data must be stored in flash memory. Secure device boot and firmware code integrity become essential to ensure that device protection cannot be circumvented by merely modifying the code. For the most flexible verification scheme that enables new code to be introduced, the secure storage application should be capable of protecting code verification keys as well as supporting hardware-based signature verification capabilities.

Virage Logic and Discretix Join Forces Discretix technology enables reflash-resistant protection of arbitrarily large storage by saving a relatively small, but cryptographically sufficient integrity checksum. Using patent pending Discretix technology, Virages NOVeA is effectively used to implement a secure storage mechanism that provides complete security services. 256 bits of NOVeA memory suffice for achieving confidentiality, data integrity and antireflashing protection of arbitrarily large memory. NOVeA is integrated in the controller or processor chip and is not part of the flash memory susceptible to reflash attacks. Discretix security solutions, comprised of hardware cryptographic engines, security middleware and device applications, rely on NOVeA for an optimal level of hardwarebased security.

Discretix has already successfully deployed security solutions based on NOVeA, and they have been proven to effectively address the security needs and can be easily integrated into storage devices and handset chipsets. Hardware-Based Secret Key A scalable approach to secure storage involves a small, well-kept, device-unique random secret, which protects arbitrarily large data. Discretixs secure storage implementation for storage devices, which uses Virage Logic NOVeA is illustrated in Figure 3. The Secret CryptoKey is accessible only by the hardware-based AES (Advanced Encryption Algorithm) engine and is inaccessible by any application directly. The cryptographic services layer feeds encrypted information from the storage devices CPU or from the secure storage on the flash directly. The secure physical implementation of the secret key as part of the storage devices controller ensures its ability to protect the device against physical attacks. In certain cases it may be desirable to reprogram the secret key in-system during the lifetime of the device which can only be supported by NOVeA.

Figure 3: Secret CryptoKey connected to AES engine Anti-Reflashing Protection While integrity validation information stored in flash is sufficient to provide protection against arbitrary data modification, it does not protect against more sophisticated reflash attacks. To thwart attempts to reuse e-cash balances, restore PIN fail counter or circumvent a content protection license, there is a need to store integrity validation data in a physically secure location, separate from the data it protects. The same physical means can be used to store the anti-reflash validation code and the secret CryptoKey (e.g. Virage Logic NOVeA). Figure 4 shows the Discretix anti-reflash solution using NOVeA to store the integrity data.

The integrity validation data can be implemented so that it can only be physically changed in one direction (i.e. counter), thus ensuring that even malicious software cannot change it to a previous value. An additional code integrity protection module (secure boot) constitutes a second line of defense, assuring that no malicious code can run.

Figure 4: Anti-reflash Protection Author Bio: Ophir Shalitin is the Director of Product Marketing - Cards for Discretix. He brings with him 10 years of experience in software engineering, data security, product management and marketing from companies such as Cylink and Algorithmic Research. Shalitin received his B.Sc. in Computer Science, B.A. in Economics and MBA from Tel-Aviv University and is also a graduate of the Wharton GCP program.