Escolar Documentos
Profissional Documentos
Cultura Documentos
Information Quarterly
[35] Volume 4, Number 1, 2005
TECHNOLOGY IN-DEPTH
• Reduced paperwork OMA DRM V2.0-like application that Emerging Applications Require High
• Minimize human errors and medical endows some of its policy handling capa- Performance
fraud bilities to the card. NAND flash storage devices require logic
and CPU resources to handle Error
Corporate secure storage applications are Emerging Applications Require Correction Code (ECC) since hardware-
another example. They generally involve Robust Security based correction is not sufficient at all
multiple users using the same physical Flash storage is susceptible to physical times. When data is encrypted, this prob-
device. The storage device is operated by examination; its content can easily be lem is further exacerbated, as even an
different users, including a remote admin- scanned using standard lab tools (e.g. error in a single bit of data renders the
istrator, at different times. A secure storage flash programmers). Therefore, any appli- entire file useless when applying best-
system enforces the required access control cation involving sensitive information practice, Cipher-Block-Chaining (CBC)
mechanism, so that users obtain the pre- must encrypt such information before it is encryption schemes. Additionally, wear
defined access privileges to their corre- stored. It goes without saying that any leveling has to be monitored and handled
sponding information. sensitive credential or key has to be stored in the background.
encrypted in a secure storage in the flash,
Naturally, such applications consist of sev- otherwise it will be prone to hacking or These new emerging applications require
eral components that are external to the tampering. A personal storage applica- a far greater processing power, as these
card (servers, host application, etc.). tion, for example, protects sensitive infor- devices must handle much more than just
However, the security and access policy mation from misuse if the device is lost or flash read/write operations and ECC. A
must be handled by the card, where the stolen. In contrast, a corporate secure stor- significant source of burden on the CPU
sensitive information resides. age application must enforce policy and comes from CPU-intensive cryptographic
protect files against hacking – even by operations if these are done in software. In
Digital Rights Management (DRM) their legal users. To respond to these particular, RSA operations such as digital
DRM addresses content protection, so that threats adequately, hardware-based signature and key exchange involve
content consumption (playback) can only encryption and integrity verification has heavy mathematical calculations entail-
be performed according to predefined pol- to be employed to ensure sensitive infor- ing significant processing resources. For
icy, generally defined in a usage rights or mation does not leak out and cannot be such calculations involving large number
rules object. DRM for flash cards has been tampered with. multiplications and many load/store oper-
defined by two major standards, the ations, 8-bit processors are insufficient.
Content Protection for Removable Media Mobile banking, remote access and secure Furthermore, 8-bit code also requires a
(CPRM) defined by the 4C Entity for Secure PC login require strong authentication. To larger code memory space resulting in an
Digital (SD) cards and MagicGate defined address these requirements, Public Key increase in the cost of the storage device.
by Sony and implemented in the Sony Infrastructure (PKI) is typically employed
Memory Stick. with RSA (Rivest Shamir Adelman) keys Additionally, in the mobile environment
serving for challenge/response-based several security applications may have to
On another front, DRM for mobile devices authentication. As the RSA private key is run concurrently. For example, a handset
has recently gained significant traction the most sensitive element in such a sys- user may listen to a song stored on card
with the Open Mobile Alliance (OMA) tem, highly secure On-Board Key using a DRM scheme. The DRM scheme
DRM V2.0 appearing as one of the leading Generation (OBKG) is used to create the typically incorporates encryption of con-
schemes for mobile handsets. RSA key pair (private and public). Since tent using a session key between the card
random values are used in this process, a and the host, without any user interven-
The OMA DRM V2.0 currently only hardware-based Random Number tion or even user awareness of this process.
enables storage of content on card without Generator (RNG) has to be used to ensure At the same time, the user may request
the card’s participation in any policy han- the true randomness that cannot be through his/her handset application to
dling. In other words, the content is bound exploited by hackers. open a secure data file. This requires the
only to the host (handset). However, to card to verify whether it trusts the applica-
support the “fair use” policy, in which As storage device applications become tion using an RSA asymmetric key opera-
paid content can be played back on any more sophisticated, the masked ROM of tion. Support of multi-applications and
device, a more card-centric DRM scheme the device becomes too small, and larger multitasking is most effectively addressed
must be supported, in which the content is parts of the code must be stored in flash using a card operating system. The oper-
bound to the card. In such a case, the card memory. Secure device boot and firmware ating system itself consumes CPU process-
owner will have full flexibility to play code integrity becomes essential to ensure ing power.
back the content on other devices (e.g. that device protection cannot be circum-
audio system which is not connected to vented by merely modifying the code. For For those reasons, as storage device appli-
any network). Such a scheme, however, the most flexible verification scheme that cations evolve, the need to migrate from 8-
requires the card to support a ‘card-DRM’ enables new code to be introduced, the bit processors to 32-bit processors becomes
application that authenticates the appli- storage device should be equipped with apparent.
cation on the host side (to ensure that the hardware-based signature verification
playback application is not an illegal capabilities. Introduction of hardware-based crypto-
recorder). Some companies have already graphic processors improves not only the
taken the first steps toward developing an level of security, but enables significant
CPU offloading. RSA operations for exam- other ARM core-based devices may be eas-
ple can be calculated using a small dedi- ily adopted for flash storage devices.
cated hardware engine in conjunction ARM’s rich development environment and
with an efficient firmware layer. In this ARM development boards in particular
instance, the CPU is still utilized, but the are valuable assets enabling easy debug
cryptographic calculation is much faster. and automated tests that enable faster
Furthermore, when a large encrypted file development and integration - meaning
is read from the storage card, “on-the-fly” short time-to-market.
decryption must be done without requir-
ing CPU intervention. This can only be Discretix has developed CryptoFlash™, a
done using a hardware encryption engine dedicated security solution for flash stor-
with direct memory access (DMA) capabil- age devices. CryptoFlash is a multi-layered
ities. In a similar fashion, file encryption security solution which is already field
and integrity verification can be per- proven. A hardware IP core that includes
formed on the fly at rates exceeding that cryptographic engines and RNG provide
of USB 2.0. the basic cryptographic layer. An easy-to-
use firmware layer API, CRYS
CryptoFlash Plus ARM: Performance (CRYptographic Services), provides access
and Security to the hardware engines and an easy-to-
As we have seen, support for the emerging use API to cryptographic algorithms.
applications requires both high-perform- Additional device toolkits such as secure
ance microcontrollers and high-perform- storage toolkit, DRM agent and others are
ance security solutions. offered on top of CRYS. CryptoFlash sup-
ports the high performance on-the-fly
Fortunately, such an integrated solution is requirements of storage devices and pro-
available from Discretix and ARM. vides robust hardware implementation of
all essential security building blocks. In
ARM 32-bit processors provide the addition, CryptoFlash enables secure boot
required processing power for these appli- and code verification, and implements
cations. In particular the ARM7TDMI state-of-the-art countermeasures to thwart
processor and the ARM Cortex-M3 proces- attacks. Integrated into CryptoFlash is
sor provide high performance combined Discretix’s patented mechanism that pro-
with cost- and power-effectiveness yearned vides both secrecy and integrity verifica-
for by flash storage device manufacturers. tion for a large memory space which is not
The ARM Thumb instruction set (using 16- physically protected.
bit instructions) enables higher code den-
sity, yielding smaller code size which sim- Figure 4 shows the combined security solu-
plifies memory management of these tion for storage devices. The CryptoFlash
SRAM-constrained devices. The ubiquity and ARM processor provide a complete
of ARM processors may also serve flash solution that saves development costs
storage devices, as applications written for and shortens time-to-market.