13 application: advanced security techniques, Pplication, Dvanced – Maxim Integrated Secure Microcontroller User Manual

Secure Microcontroller User’s Guide

82 of 187

spend a long time breaking into the DS5000, but the user can simply change system security at any time.
Thus any stolen information has a very limited lifetime.

DS5001FP/DS2251T
The DS5001 is a newer product than the DS5000, but has less security. It is useful in systems that need a
large memory, but that provide sufficient physical security for all needs. The DS5001 incorporates a
security lock. This is used to prevent the bootstrap loader from dumping memory. Once locked, the
bootstrap loader cannot access the memory. Unlocking the DS5001 causes the bootstrap loader to write
over the NV RAM. The RAM nature of the DS5001 product allows a user to vary security frequently and
to manually destroy it if necessary.

DS5002FP/DS2252(T)
The DS5002 adopts the memory and I/O improvements of the DS5001 and improves on the security of
the DS5000. It is a high security version of the DS5001. This device is intended for maximum security
and has numerous improvements to the DS5000. The security is always enabled on a DS5002. Thus an
attacker cannot characterize the security and the user cannot forget to enable the security. The DS5002
follows a similar scheme of memory encryption and Security Lock. The DS5002 encryptor is a superior
algorithm using an 80-bit encryption key. In addition, the Key is managed by the DS5002. Using the
Bootstrap Loader, each part generates a random number for its 80-bit Key prior to loading memory.
Leaving and reentering the Bootstrap loader causes the DS5002 to select a new number as a potential
Key. Any subsequent memory access with the Loader causes the new Key to be installed. Like the
DS5000, the DS5002 also uses dummy bus access and Vector RAM to further hide memory bus activity.
The Security Lock of a DS5002 is similar in nature to the DS5000. Once locked, the DS5002 Bootstrap
Loader does not have access to memory. Unlocking the DS5002 destroys the Encryption Key and Vector
RAM. The NV RAM accessed by the Bytewide bus is also manually erased under Bootstrap Loader
control. The DS5002 provides an external method to clear the Security Lock using its Self-Destruct Input
(SDI). This causes the erasure of the Key and Vector RAM and also removes power from the NV RAM.
The DS5002FPM provides an internal metal microprobe shield to prevent microprobing of the die.

9.13 Application: Advanced Security Techniques

The secure microcontroller family has been used for numerous applications requiring security. Different
levels of security are required depending on the sensitivity of the application and the value of the
protected information. As mentioned above, the goal of the microcontroller security is to make stealing
the protected information more difficult than the information is worth. This task actually has two pieces.
First, the secure microcontroller makes attack difficult. This is combined with the user’s physical security
to make information retrieval difficult. The second part is to make the protected information less
valuable. To this end, the NV RAM nature allows a user to frequently alter the firmware based security
aspects of the system. Thus if the critical information changes before the security can be broken, the
information that is actually retrieved will be worthless. To assess the security of a system, the total
implementation must be examined. The DS5000FP or DS5002FP provide a high level of security, but the
user’s firmware can accidentally defeat some features. A sampling of implementation issues that will
make the DS5000FP or DS5002FP more difficult to crack is discussed in the following paragraphs. There
are also suggestions on making a system more secure using external circuits.

Avoid Clear Text

The encryption algorithms used by DS5000FP or DS5002FP are generally adequate to prevent analysis
when combined with well-developed code. However, the encryption is defeated to some extent if the user