alt.embedded
Retrofitting Secure Storage

Retrofitting Secure Storage

Swissbit’s data-protection technology allows SD cards to provide features like encrypted, write-only operations.

Protecting data from corruption, attack, and errors can be done using simple storage managed by software that takes these issues into account and incorporates features and methodologies to mitigate these problems. Sometimes these features are included in hardware, such as self-encrypting drives (SEDs) that encrypt and decrypt data once the drive is unlocked. Unfortunately, SEDs need additional, albeit minimal, software interaction to operate.

Swissbit’s line of flash storage devices incorporates a number of useful security and reliability features, including the industrial data-protection (DP) edition (see figure). The DP edition implements these features by putting a secure microcontroller between the host and storage. As a result, different features can be utilized by an application, often without requiring software modification.

For example, the CD-ROM-style write-once read-many (WORM) operation allows an application to append new data, but not modify existing information. In turn, a DP SD card can be utilized by a system that already writes its data or log to an SD card, but it now becomes impossible to change what was written. This assumes the application doesn’t need to update anything, such as a directory entry.

Swissbit’s data-protection technology adds smart, secure storage management that can be transparent to existing applications.

A more advanced methodology can take advantage of the AES encryption support that can encrypt the data as it’s written. A key and software to enable decryption can be used on another system when the SD card is moved to it, allowing the data to be examined. Such capability is useful in many accounting applications from voting machines to cash registers. Again, the software creating the log must not need to examine it, although it could read and transmit the encrypted data that could then be decrypted.

Swissbit’s solution is configurable and supports additional features like PIN-protected storage and its own nonvolatile RAM (NVRAM) secure storage for keys. The approach used by the company can support features like secure update, since it’s able to authenticate information written to its storage and only allow authenticated data to be utilized. This requires configuring the storage media and providing encrypted data, but it can be done transparently to the application using the storage device.

Developers can take advantage of Swissbit’s products, though the idea of providing an intelligent front end to storage isn’t new. However, that task does tend to be overlooked.

Protection of serial nonvolatile storage is available from other vendors as well. Macronix has a password-protected SPI flash memory—protected blocks can only be written using the proper password. This allows secure-boot features to be incorporated into a system that boots from SPI storage.

By swapping an existing SPI or I2C memory device for a secure device like Microchip’s CryptoMemory, it’s possible to modify an application so that it can take advantage of the chip’s secure storage and authentication/encryption hardware. It’s not as transparent as some of the earlier approaches, but can be incorporated often with minimal software modification.

Another option is to replace a serial flash storage device with a microcontroller. This is a bit more complex and overkill for many applications, but it’s one way to retrofit custom security support similar functions found in Swissbit’s solution. It may also offer other possibilities in terms of providing custom functionality.

Hide comments

Comments

  • Allowed HTML tags: <em> <strong> <blockquote> <br> <p>

Plain text

  • No HTML tags allowed.
  • Web page addresses and e-mail addresses turn into links automatically.
  • Lines and paragraphs break automatically.
Publish