Firmware security, 1 security lock, Ecurity – Maxim Integrated Secure Microcontroller User Manual

Secure Microcontroller User’s Guide

74 of 187

9. FIRMWARE SECURITY

One of the outstanding features of the secure microcontroller is its firmware security. The family far
surpasses the standard offering of ROM-based microcontrollers in keeping system attackers or
competitors from viewing the contents of memory. In a standard EPROM-based microcontroller, a
knowledgeable attacker can disable the EPROM security bit and have access to the entire memory
contents. The secure microcontroller’s improved security makes it a natural choice for systems with high
security requirements such as financial transaction terminals. However, the firmware security can also be
employed to keep competitors from copying proprietary algorithms. Allowing access to these algorithms
can create an instant competitor. This section describes the security features and their application. Also
included are guidelines to using microcontroller security within the framework of total system security.
As with memory map control, there are variations between the different secure microcontroller versions.
The original DS5000 has a high level of firmware security and the DS5002 has added several distinct
improvements. Note that the DS5001 has only minimal security and should only be applied when other
physical security is used or when security is not needed.

Security Overview

The usefulness of the security features are evident in an application dispenses services on a pay per
service basis. Electronically bypassing the security would allow the dispensing of the service for free,
resulting in lost revenue to the system owner. Another common application is the transmission of secret
information. The user’s algorithm and key data could be observed in an unsecured system, resulting in a
break in the secure transmission. The secure microcontroller family protects the contents of memory from
being viewed. This is done with a combination of circuit techniques and physical security. The
combination is a formidable defense. Regardless of the application, the secure microcontroller protects
the contents of memory from tampering and observation. This preserves secret information, access to
services, critical algorithms etc. The security features of the secure microcontroller include physical
security against probe, memory security through cryptographic scrambling, and memory bus security
preventing analysis of the CPU’s operation. The table below provides a brief summary of the versions
and their security features. A detailed description of each feature follows. In the description, elements that
are unique to a particular secure microcontroller version have that version underlined.

FEATURE

DS5001

DS5000

DS5002

Security Lock

Yes

Yes

Yes

RAM memory

Yes

Yes

Yes

Encrypted memory

None

Yes, user must enable

Yes

Encryption Key

None

48 bits

80 bits (64 bits rev Bx)

Encryption Key Selection

None

User selected

True random number

Encryption Keys loaded

N/A

When user selects

Automatic, any new load/dump

Dummy bus access

None

Yes, when encrypted

Yes

On-chip Vector RAM

None

Yes, when encrypted

Yes

Self-Destruct Input

None

None

Yes

Die Top Coating

None

None

Optional (only on DS5002FPM)

Random Number Generator

Yes

None

Yes

9.1 Security Lock

The easiest way to dump (view) the memory contents of a secure microcontroller is using the bootstrap
loader. On request, the loader will transfer the contents of memory to a host PC. The security lock
prevents this. The lock is the minimal security feature, available even in the DS5001FP. Once set, the
security lock prevents the loader from accessing memory. In fact, no loader commands (except Unlock)
will work while the lock is set. The security lock is similar in function to an EPROM security bit on a