Secure Authenticators
Security Lab
DS28C36 Secure Authenticator
Overview of the DS28C36
Challenge & Response Authentication
Symmetric SHA-256
Challenge & Response Authentication
Asymmetric ECDSA
Authenticated Write
Symmetric SHA-256
Authenticated Write
Asymmetric ECDSA
ECDH key establishment & Encrypted IO
Secure Download
Preserving Integrity using Asymmetric Key Algorithms
Secure GPIO
SHA-256 HMAC based Encryption
True Random Number Generator
Secure Decrement Counter
DS28E38 Secure Authenticator
Overview of the DS28E38
Challenge & Response Authentication
Asymmetric ECDSA
True Random Number Generator
Secure Decrement Counting
Security Lab

Running the Lab

    1. Order the MAXAUTHDEMO1# or MAXAUTHDEMO2#
    2. Plug in the boards and connect cable to the PC's USB port
      hardware

    3. Download the Security Lab application
    4. Run the Security Lab application
    5. A command window will open with a prompt to 'Enter link code'. Type the code below at the prompt.
      131683
      running lab connection code
    6. Select the desired hardware
    7. Select Hardware


    8. Press the Start Connection button to establish connection between the website and the Security Lab application
      Start Hardware Interface
      Hardware Connection Not Ready


Provides Affordable Elliptic-Curve Public-Key Authentication Security to Protect Your Development Investment

Introduction

The DS28C36 (Figure 1) is a ECDSA (elliptic curve digital signature algorithm) and SHA-256 (secure hash algorithm, 256 bit) authenticator, which is operated over I2C interface. The three ECDSA private and public key pairs for signature generation and verification can be computed by the device or installed by the user and optionally locked. Separate memory space may be used to store and lock a public-key certificate. The 8kb of secured EEPROM provides a 4kb user partition that is organized as 16 pages of 256 bits and can be left unprotected or irreversibly write-protected, read-protected, authentication-protected, encrypted, or set up for EEPROM emulation mode. The DS28C36 also features a FIPS-grade TRNG (true random number generator), and a one-time settable, non volatile, 17-bit decrement-only counter, which can be used to electronically control the lifetime of the object with which the DS28C36 is associated. Each device has its own guaranteed unique 64-bit ROM ID, factory programmed into the chip. This ROM ID is an input parameter for cryptographic operations.

ds28c36 block diagram

Figure 1. DS28C36 Block Diagram

Product Details

Parametric specs for Secure Authenticators


Crypto Engine Asymmetric
Symmetric
Applications IP Protection
Medical Consumable ID
Medical Sensor Authentication and Calibration
Medical PCB ID and Authentication
Print Cartridge Authentication

Simplified Block Diagram

DS28C36: Typical Application Circuit

ds28c36 typical circuit
  • Asymmetric & Symmetric functions for core set of crypto tools
    • FIPS186 ECDSA P256 signature and verification
    • FIPS180 SHA-256 for HMAC
    • ECDH key establishment function to support encrypted I/O of sensitive data
    • configurable ECDSA or HMAC authenticated R/W memory
  • NIST SP 800-90B TRNG with command to output RND
  • Multiple configurable key options
    • 3x Pu/Pr key pairs for ECC
    • 2x Secrets for SHA-256
  • GPIO pins: 4mA/0.4V
    • Optional ECDSA or SHA-256 authentication ON/OFF and state read
    • Optional ECDSA to set ON/OFF after multi-block Hash for Secure Boot
  • Decrement-only counter with authenticated read
  • 8kb EEPROM
  • Unique factory programmed read-only serial number (ROM ID)
  • Strong protection against invasive and non-invasive security attacks
  • 3.3V; -40C to +85C, 3x3 TDFN

Challenge & Response Authentication Using Symmetric SHA-256

  • Connectivity Between Host and Device

Host Computed Destination Secret

Select Page

Authentication Result



Challenge & Response Authentication Using Asymmetric ECDSA

  • Connectivity Between Host and Device

Verify Peripheral is Authentic within the System
Modify Message Digest

Authentication Result


Press Next to Start USB Adapter Connection

Authenticated SHA-256 Write

  • Connectivity Between Host and Device

Host Computed Destination Secret

Peripheral Page 0

New Page Data

Authenticate New Page Data

Authenticated ECDSA Write

  • Connectivity Between Host and Device

Peripheral Authenticate Host's Public Key for Writes

Peripheral Page 1

Authenticate New Page Data

Authentication Result

ECDH Key Establishment and Encrypted IO

  • Connectivity Between Host and Device

Host Verify the Peripheral is Authentic within the System

Compute Peripheral Session Key

Compute Host Session Key

Host Reads and Decrypts Encrypted Page 2 Data

Press Next to Start USB Adapter Connection

Secure Download

  • Connectivity Between Host and Device

Verify Peripheral is Authentic within the System

Host Sign Download Data

Press Next to Start USB Adapter Connection

Secure Encrypted GPIO

  • Connectivity Between Host and Device

Host Computed Destination Secret

GPIO Page
maxrefdes1 gpio

Press Next to Start USB Adapter Connection

True Random Generator

  • Connectivity Between Host and Device

Select Number of RNG Bytes

Press Next to Start USB Adapter Connection

Secure Counting

  • Connectivity Between Host and Device

Secure Counting

Press Next to Start USB Adapter Connection

Protect your design using Crypto-Strong Authentication Secured with a Physically Unclonable Function

Introduction

The DS28E38 (Figure 1) is an ECDSA public-key based secure authenticator that incorporates Analog's patented ChipDNA feature, a physically unclonable function (PUF) to provide a cost-effective solution with the ultimate protection against security attacks. The DS28E38 security guide describes the command sequences to use ChipDNA with the cryptographically secure device data, and to operate the ECDSA engine, the decrement-only counter, and the unique 64-bit ROM identification number (ROM ID). After a 1-Wire® Reset/Presence cycle and ROM function command sequence is successful, a DS28E38 is ready to accept the device function command sequence. Common to all device function commands is a command start issued first followed by a length byte, the device function command, and the parameter byte(s). The controller receives a 16-bit CRC as confirmation of the device function command sequence to verify that it was received properly. Then the release byte can be issued followed by a delay with strong pullup (i.e., a low impedance bypass to supply high current demands during command processing). When the delay is complete, the controller transmits a dummy byte and receives the length byte and result byte from DS28E38. Depending on the length byte received, subsequent result data may or may not be sent after the result byte. Finally, the controller receives another 16-bit CRC as confirmation of the data DS28E38 sent after the dummy byte.

ds28e38 block diagram

Figure 1. DS28E38 Block Diagram

Product Details

Parametric specs for Secure Authenticators


Crypto Engine Asymmetric
Applications IP Protection
Medical Consumable ID
Medical Sensor Authentication and Calibration
Medical PCB ID and Authentication
Print Cartridge Authentication

Simplified Block Diagram

DS28E38: Typical Application Circuit

ds28e38 typical circuit
  • Protected with Physically Unclonable Function (PUF)
  • ECDSA-based Challenge/Response Authenticator
    • FIPS186 ECDSA Engine
    • FIPS180 SHA-256 Engine
  • NIST SP 800-90B TRNG with command to output RND
  • 2kb E2 Array for User Memory and Public-Key Certificate
  • Decrement-only counter with authenticated read
  • Unique factory programmed read-only serial number (ROM ID)
  • Strong protection against invasive and non-invasive security attacks
  • 3.3V; -40C to +85C, 3x3 TDFN

Challenge & Response Authentication Using Asymmetric ECDSA

  • Connectivity Between Host and Device

Verify Peripheral is Authentic within the System
Modify Message Digest

Signature Generation



Press next to load device info

True Random Generator

  • Connectivity Between Host and Device

Select Number of RNG Bytes

Press Next to Start USB Adapter Connection

Secure Counting

  • Connectivity Between Host and Device

Secure Counting

Press Next to Start USB Adapter Connection