TECHNOLOGY IN-DEPTH

Secure Flash Card Applications

Hit the Horizon
Author:
O ne of the most remarkable segments
of the market for embedded devices is
Ophir Shalitin, Director, Discretix removable solid-state storage. This defini-
tion applies to both USB flash drives
Synopsis:
(UFDs) as well as flash storage cards
Over the next several years the USB
flash drive (UFD) and flash card market
(which in this article will be referred to as
is expected to grow at a rapid pace of storage devices). Flash cards come in vari-
close to 40 percent annually. Initially ous forms and shapes with seven main
used primarily as storage media for digital form factors (UFD, Compact Flash, Secure
cameras, flash cards are now coming of age Digital, Memory Stick, MultiMedia Card,
as smart storage devices for sophisticated XD-picture card and SmartMedia), with Furthermore, each year the sales price per
computing devices, especially mobile some form factors having mini-versions.
handsets. Consequently, flash card require-
megabyte plunges by almost 30 percent.
ments are changing to meet the demands As floppy disks become obsolete, and UFD
of this new market. At the same time,
Some of these form factors are expected to with larger storage become more afford-
USB flash drives are also developing quickly, show a compound average growth rate able, more people will carry high-capacity
adding more security applications, such as (CAGR) exceeding 60 percent in the next UFDs in their pockets. No wonder they are
media players and authentication tokens. four years. According to leading analysts, so popular. These new devices are capable
the entire segment is forecasted to grow of supporting very high data-rates of 480
New high-processing-power applications nearly 40 percent annually, with hun- megabits/second, imposing minimal
require a high level of security as well as dreds of millions of units manufactured
high performance. This leads to a disruptive
delays compared even to hard disk drives.
every year, reaching more than 700 mil- Interestingly, authentication token with
change in the architecture of the flash
card and USB drive. Undoubtedly, robust,
lion units in 2008. USB interface are also experiencing excep-
high-performance security has to be tional growth as more and more Internet
designed-in early on, taking into considera- One of the main drivers of this growth is applications rely on strong authentication
tion which processor to use along with the tectonic shift of these devices from with these devices. Next in line is the con-
which cryptographic processors and ‘dumb storage’ for digital still cameras to vergence of a high-capacity UFD with a
accompanying firmware. This article ‘smart storage’ for the most commonly highly secure authentication token.
expands on these trends and new used computing device – the mobile hand-
applications. It further explores the security
set, accounting for nearly two thirds of the What Are UFDs and Flash Cards?
and processing requirements of these
applications.
cards shipped in 2008. Despite their different appearance, USB
flash drives and removable flash card
Fortunately, a generic solution for the new At the same time, USB flash drives are form factors share a very similar architec-
age of flash cards and USB drives is now showing even more impressive growth. ture. These products consist of two main
available jointly from ARM and Discretix.
ARM provides the high-performance
processor and Discretix provides a security
solution comprised of hardware crypto-
graphic engines that are tightly coupled
to the ARM processor, complemented
with an easy-to-use firmware interface.
This combination provides a comprehensive,
easy-to-integrate single solution that
cost effectively meets these challenging
requirements.

Figure 1: High-level Architecture of Flash Storage Devices

Information Quarterly [34] Volume 4, Number 1, 2005


Figure 2: Flash Storage Application Landscape
parts, the actual flash memory device and
the controller chip. Figure 1 shows a high-
level architecture of a typical flash card.
NAND flash is predominantly used in
removable flash devices due to its higher
cell densities (and lower cost per
megabyte); NAND flash cells are connect-
ed serially (in contrast to NOR cells that
are connected in parallel), requiring fewer
data lines and therefore leaving more
space for flash cells. In addition, NAND
flash has a relatively short erase/write
cycle time which is beneficial for data stor-
age. Despite its cost effectiveness, NAND
flash has two drawbacks. First, given its
inherent susceptibility to errors, NAND
flash absolutely requires error correction
code (ECC) which usually implements the
Reed-Solomon error correction algorithms.
Secondly, it intrinsically contains bad
blocks that require management. Flash
(NAND and NOR) has limited write cycles
endurance of typically 100,000 to
1,000,000 operations. It therefore requires
wear leveling to ensure that its memory
blocks are used evenly, preventing acceler-
ated wear.
The flash controller manages the data
flow to and from the NAND having inter-
faces to the flash and to the host. Using its
data buffers, it regulates data flow so that
the data rate is synchronized between the
host and the flash device.
Legacy flash cards rely for the most part
on low-end, 8-bit microprocessors with
Information Quarterly
TECHNOLOGY IN-DEPTH
minimal ROM and RAM to support only
basic data read/write operations.
Applications Come into Play
With the advent of smartphones and
enhanced phones capable of running
numerous applications, flash cards will
play a more active role in supporting secu-
rity-conscious applications. Figure 2 shows
some emerging applications such as per-
sonal secure storage, corporate secure stor-
age, Digital Rights Management (DRM)
for content and for software, user authen-
Healthcare Secure Storage
Figure 3: Healthcare Application Using Storage
[35]
tication, M-commerce and M-banking,
and SIM functionality (Subscriber
Identification Module, used in GSM cellu-
lar networks).
Secure Storage Applications
One example of an emerging application
is the healthcare card. Healthcare cards
combine storage capacity sufficient to
accommodate medical information,
including digital imaging, with robust
security that controls access to medical
information. A sophisticated control
access mechanism may allow various
entities to have different authorizations.
Patients would be able to see their own
records, but not modify them. The doctor
would be able to update medical informa-
tion and read existing information, but
not administrative information. Finally,
the insurance company would be able to
read the medical information as well as
read or update administrative informa-
tion. Figure 3 shows the different entities
interacting with the healthcare card.
Healthcare cards provide numerous bene-
fits including:
• Secure exchange of information with
other physicians, in accordance with the
requirements of the US Health Insurance
Portability and Accountability Act
(HIPAA).
• Portability, enabling patients and/or
emergency personnel access to medical
information at all times.
Volume 4, Number 1, 2005

• Reduced paperwork
• Minimize human errors and medical
fraud
Corporate secure storage applications are
another example. They generally involve
multiple users using the same physical
device. The storage device is operated by
different users, including a remote admin-
istrator, at different times. A secure storage
system enforces the required access control
mechanism, so that users obtain the pre-
defined access privileges to their corre-
sponding information.
Naturally, such applications consist of sev-
eral components that are external to the
card (servers, host application, etc.).
However, the security and access policy
must be handled by the card, where the
sensitive information resides.
Digital Rights Management (DRM)
DRM addresses content protection, so that
content consumption (playback) can only
be performed according to predefined pol-
icy, generally defined in a usage rights or
rules object. DRM for flash cards has been
defined by two major standards, the
Content Protection for Removable Media
(CPRM) defined by the 4C Entity for Secure
Digital (SD) cards and MagicGate defined
by Sony and implemented in the Sony
Memory Stick.
On another front, DRM for mobile devices
has recently gained significant traction
with the Open Mobile Alliance (OMA)
DRM V2.0 appearing as one of the leading
schemes for mobile handsets.
The OMA DRM V2.0 currently only
enables storage of content on card without
the card’s participation in any policy han-
dling. In other words, the content is bound
only to the host (handset). However, to
support the “fair use” policy, in which
paid content can be played back on any
device, a more card-centric DRM scheme
must be supported, in which the content is
bound to the card. In such a case, the card
owner will have full flexibility to play
back the content on other devices (e.g.
audio system which is not connected to
any network). Such a scheme, however,
requires the card to support a ‘card-DRM’
application that authenticates the appli-
cation on the host side (to ensure that the
playback application is not an illegal
recorder). Some companies have already
taken the first steps toward developing an
Information Quarterly
TECHNOLOGY IN-DEPTH
OMA DRM V2.0-like application that
endows some of its policy handling capa-
bilities to the card.
Emerging Applications Require
Robust Security
Flash storage is susceptible to physical
examination; its content can easily be
scanned using standard lab tools (e.g.
flash programmers). Therefore, any appli-
cation involving sensitive information
must encrypt such information before it is
stored. It goes without saying that any
sensitive credential or key has to be stored
encrypted in a secure storage in the flash,
otherwise it will be prone to hacking or
tampering. A personal storage applica-
tion, for example, protects sensitive infor-
mation from misuse if the device is lost or
stolen. In contrast, a corporate secure stor-
age application must enforce policy and
protect files against hacking – even by
their legal users. To respond to these
threats adequately, hardware-based
encryption and integrity verification has
to be employed to ensure sensitive infor-
mation does not leak out and cannot be
tampered with.
Mobile banking, remote access and secure
PC login require strong authentication. To
address these requirements, Public Key
Infrastructure (PKI) is typically employed
with RSA (Rivest Shamir Adelman) keys
serving for challenge/response-based
authentication. As the RSA private key is
the most sensitive element in such a sys-
tem, highly secure On-Board Key
Generation (OBKG) is used to create the
RSA key pair (private and public). Since
random values are used in this process, a
hardware-based Random Number
Generator (RNG) has to be used to ensure
the true randomness that cannot be
exploited by hackers.
As storage device applications become
more sophisticated, the masked ROM of
the device becomes too small, and larger
parts of the code must be stored in flash
memory. Secure device boot and firmware
code integrity becomes essential to ensure
that device protection cannot be circum-
vented by merely modifying the code. For
the most flexible verification scheme that
enables new code to be introduced, the
storage device should be equipped with
hardware-based signature verification
capabilities.
[36]
Emerging Applications Require High
Performance
NAND flash storage devices require logic
and CPU resources to handle Error
Correction Code (ECC) since hardware-
based correction is not sufficient at all
times. When data is encrypted, this prob-
lem is further exacerbated, as even an
error in a single bit of data renders the
entire file useless when applying best-
practice, Cipher-Block-Chaining (CBC)
encryption schemes. Additionally, wear
leveling has to be monitored and handled
in the background.
These new emerging applications require
a far greater processing power, as these
devices must handle much more than just
flash read/write operations and ECC. A
significant source of burden on the CPU
comes from CPU-intensive cryptographic
operations if these are done in software. In
particular, RSA operations such as digital
signature and key exchange involve
heavy mathematical calculations entail-
ing significant processing resources. For
such calculations involving large number
multiplications and many load/store oper-
ations, 8-bit processors are insufficient.
Furthermore, 8-bit code also requires a
larger code memory space resulting in an
increase in the cost of the storage device.
Additionally, in the mobile environment
several security applications may have to
run concurrently. For example, a handset
user may listen to a song stored on card
using a DRM scheme. The DRM scheme
typically incorporates encryption of con-
tent using a session key between the card
and the host, without any user interven-
tion or even user awareness of this process.
At the same time, the user may request
through his/her handset application to
open a secure data file. This requires the
card to verify whether it trusts the applica-
tion using an RSA asymmetric key opera-
tion. Support of multi-applications and
multitasking is most effectively addressed
using a card operating system. The oper-
ating system itself consumes CPU process-
ing power.
For those reasons, as storage device appli-
cations evolve, the need to migrate from 8-
bit processors to 32-bit processors becomes
apparent.
Introduction of hardware-based crypto-
graphic processors improves not only the
level of security, but enables significant
Volume 4, Number 1, 2005

CPU offloading. RSA operations for exam-
ple can be calculated using a small dedi-
cated hardware engine in conjunction
with an efficient firmware layer. In this
instance, the CPU is still utilized, but the
cryptographic calculation is much faster.
Furthermore, when a large encrypted file
is read from the storage card, “on-the-fly”
decryption must be done without requir-
ing CPU intervention. This can only be
done using a hardware encryption engine
with direct memory access (DMA) capabil-
ities. In a similar fashion, file encryption
and integrity verification can be per-
formed on the fly at rates exceeding that
of USB 2.0.
CryptoFlash Plus ARM: Performance
and Security
As we have seen, support for the emerging
applications requires both high-perform-
ance microcontrollers and high-perform-
ance security solutions.
Fortunately, such an integrated solution is
available from Discretix and ARM.
ARM 32-bit processors provide the
required processing power for these appli-
cations. In particular the ARM7TDMI
processor and the ARM Cortex-M3 proces-
sor provide high performance combined
with cost- and power-effectiveness yearned
for by flash storage device manufacturers.
The ARM Thumb instruction set (using 16-
bit instructions) enables higher code den-
sity, yielding smaller code size which sim-
plifies memory management of these
SRAM-constrained devices. The ubiquity
of ARM processors may also serve flash
storage devices, as applications written for
Figure 4: Combined ARM and Discretix Solution
Information Quarterly
TECHNOLOGY IN-DEPTH
other ARM core-based devices may be eas-
ily adopted for flash storage devices.
ARM’s rich development environment and
ARM development boards in particular
are valuable assets enabling easy debug
and automated tests that enable faster
development and integration - meaning
short time-to-market.
Discretix has developed CryptoFlash™, a
dedicated security solution for flash stor-
age devices. CryptoFlash is a multi-layered
security solution which is already field
proven. A hardware IP core that includes
cryptographic engines and RNG provide
the basic cryptographic layer. An easy-to-
use firmware layer API, CRYS
(CRYptographic Services), provides access
to the hardware engines and an easy-to-
use API to cryptographic algorithms.
Additional device toolkits such as secure
storage toolkit, DRM agent and others are
offered on top of CRYS. CryptoFlash sup-
ports the high performance on-the-fly
requirements of storage devices and pro-
vides robust hardware implementation of
all essential security building blocks. In
addition, CryptoFlash enables secure boot
and code verification, and implements
state-of-the-art countermeasures to thwart
attacks. Integrated into CryptoFlash is
Discretix’s patented mechanism that pro-
vides both secrecy and integrity verifica-
tion for a large memory space which is not
physically protected.
Figure 4 shows the combined security solu-
tion for storage devices. The CryptoFlash
and ARM processor provide a complete
solution that saves development costs
and shortens time-to-market.
[37] Volume 4, Number 1, 2005