Battery Authentication Architecture and Implementation for Portable Devices

Transcription

1 Battery Authentication Architecture and Implementation for Portable Devices Todd Vanyo and Jinrong Qian, Texas Instruments ABSTRACT Driven by integrated functionality and shrinking form factors, the demand for portable devices such as cellular phones, PDAs, and DVD players has grown significantly during the last few years. These portable devices need rechargable batteries and peripherals that are typically replaced before the life of the portable devices expires. This has opened a huge market for counterfeiters to supply cheap replacements, which may not meet the manufacturing standards or have the safety and protection circuits required by the original equipment manufacturers (OEMs). These counterfeit batteries may violate both mechanical and electrical safety requirements related to short-circuit protection, charge safety, and other specifications. It is usually impossible for the consumer to determine the quality without making a purchase and possibly learning the hard way, leading to a potentially dangerous situation for the end users. Adding simple and effective authentication technology to the portable system allows the OEMs to ensure customer satisfaction and protect their business. The simple identification (ID) and the more complicated challenge and response CRC and SHA-1/HMAC based battery authentication techniques are discussed in detail. The presented battery authentication architectures meet the counterfeit battery challenges to protect OEM potential business and ensure the end-user safety and satisfication. I. EXISTING AUTHENTICATION TECHNIQUES Several techniques are currently used to identify a battery or peripheral intended for the main battery powered product. The most common is the form factor or physical connection. Every cell phone battery on the market has a different aspect ratio, and the physical size of the battery is not even consistent within all the phones manufactured by one company. This provides a modest level of security for the OEM, until a 3 rd party duplicates the physical dimensions and simply buys the connector from one of the various sources for such physical contacts. Economic considerations make changing the physical size or shape of connectors extremely difficult to do in short design cycles. In fact, it would be more economical to standardize form factors and keep them unchanged. Many original manufacturers are moving towards this economic model today. Electrical techniques can be used to replace the unique physical protection eliminated by standardized form factors. The two main electrical authentication techniques available are identification based and challenge/response based. Each technique has strengths and weaknesses that must be considered when designing systems requiring authentication. 3-1

2 II. IDENTIFICATION (ID) BASED AUTHENTICATION TECHNIQUE The most basic form of electrical authentication is an ID based system. Fig. 1 shows an ID authentication functional block diagram. The challenger, or host, sends a command to read the ID data from the device (responder). The data returned from the responder may include a product family code, identification number (ID), and cyclic redundancy check (CRC) value. Typically this technique requires that each device have a unique ID number. The response data is checked for validity by the host. If the information is valid, then the host enables system operation. Otherwise, it may inhibit system operation and provide an error code or warning signal to the end-user. Fig. 2 shows the battery pack typical application circuit with the bq2022 and bq2023, which both provide ID based authentication functionality. The host communicates with the ID chip through a dedicated general purpose I/O or UART to determine if an ID is available and valid. The ID authentication technique weeds out a significant number of non-oems. However, the ID issued by the device is available to anyone with an oscilloscope. It is still possible for the counterfeiters to replicate the ID to the issued command. But, it increases the cost to implement a fake ID. Some non- OEMs go after batteries and peripherals for such high volume products that adding a cheap microcontroller to the system is acceptable. To counter this threat, a more robust challenge/ response authentication technique must be employed. Challenger - Host Command Responder Response Validator Response Family Code ID CRC Values Fig. 1. ID authentication functional block diagram. PACK+ PACK+ SDQ PACK- bq2022 VSS SDQ VSS bq27000 Gas Gauge IC Battery Pack + R SNS SDQ TS R1 100 kω RT: 103AT bq2023 PDET SDQ STAT VSS VCC SRP SRN RBI R SNS C1 0.1 μf + Li-Ion Cell Protector Protector TS RT: 103AT Fig. 2. Typical application circuit with ID chip. PACK- Battery Pack 3-2

3 III. CHALLENGE AND RESPONSE BASED AUTHENTICATION TECHNIQUE ID-based authentication increases complexity by forcing the counterfeiter to identify the ID and the command. But this can be done with an oscilloscope and knowledge of the communication protocol; the technique is secure by adding cost to the system. If cost improves security, a non-original manufacturer moves on to a battery or peripheral without this functionality. But for those non-original manufacturers willing to add cost to their system to secure a business opportunity, something more robust than ID-based authentication is needed. The cost-effective and robust approach is based on a challenge/response technique shown in Fig. 3. The major components of this technique are the random challenge and a secret known only to the challenger and responder. In this technique, the host sends a random challenge to the battery pack that contains the identification device, or responder. The challenge consists of random data generated by the host. The secret key is either shared or transmitted securely from one side to another. A shared secret is typically static from responder to responder, minimizing the secure memory requirements on the host. A system that requires each responder to have a different secret would require secure transmission of that secret from the responder to the host. Transmitting the secret securely typically means sending an encrypted version of the secret over a public communication channel. The encrypted secret must be decrypted at the host before it can be used in the authentication calculation. Challenger - Host Secret Authentication Transform Challenge Expected Answer Fail No Match? Yes Authenticated Secret can be shared or transmitted securely from one side to the other Calculated Answer Challenge is a random number that changes each time it is transmitted Secret Authentication Transform Challenge Fig. 3. Challenge and response based authentication technique. 3-3

4 When the authentication device receives the challenge information, it combines the challenge and a plaintext version of the secret, stored in private memory, and performs the authentication transform to calculate the response. On the other side, the host performs the same transform using the challenge and the plaintext version of the secret it stores. The host compares the value it computes against the response obtained from the identification device. If the calculated data from the authentication device matches the expected answer from the host, then the host authenticates the battery and allows the system to start operation. Otherwise, it may inhibit the system operation and provide a warning signal to the end-users. Why is this technique more secure than the straight ID based technique? The single ID authentication technique has a fixed response to a fixed challenge or command. It is relatively easy for the counterfeiters to find out the fixed challenge and command. However, the challenge and response secure technique changes the query and response every time. A relatively large and random challenge makes a look up table solution very expensive in terms of memory, which has a direct correlation with the monetary cost, and is difficult to guess. In addition, part of the transform involves a secret shared between the challenger and the responder. Security then resides in the secret, allowing the technique to use a public authentication transform algorithm. Public authentication transforms are good because they can be thoroughly and properly evaluated for robustness against attacks to reveal the secret. IV. CHALLENGE AND RESPONSE CRC BASED AUTHENTICATION IMPLEMENTATION Fig. 4 shows the bq26150 block diagram of a Cyclic Redundancy Code (CRC) based authentication implementation based on the concept of challenge and response authentication technique discussed above. Private Non-Volatile Memory 96-bit (PI) Plaintext ID 16-bit (PP) Plaintext Poly. 16-bit (PS) Plaintext Seed Public Non-Volatile Memory 96-bit (EI) Encrypted ID 16-bit (EP) Encrypted Poly. 16-bit (ES) Encrypted Seed 128-bit General Use HOST Communication CRC Authentication Public RAM 8-bit Control 32-bit Challenge 16-bit Auth Code Power Control Fig. 4. Response CRC based authentication block diagram. 3-4

5 It combines a 32-bit challenge (transmitted from the host) and a 96-bit secret key (ID) through a CRC defined by a 16-bit secret polynomial and 16-bit secret initialization (seed) value to generate a 16-bit response. The 96-bit ID, 16-bit polynomial, and 16-bit seed correspond to the box labeled Secret in the Responder of Fig. 3 and may be unique to each device. The plaintext version of the ID, polynomial, and seed are stored in private memory that can only be read by the bq The 128-bit of secret information may be stored on the host as plaintext or stored with the bq26150 in encrypted form to be read and decrypted by the host at the time of authentication. The encryption method used to store the polynomial coefficients and the device ID can be selected by the manufacturer. To authenticate a battery pack, the host reads the encrypted device ID, polynomial, and seed values from the public memory. It decrypts those values using the appropriate decryption method and then generates a 32-bit random challenge. The generated random challenge is transmitted to the authentication device, which uses the plaintext version of the polynomial coefficients, seed, and device ID, along with the 32-bit random challenge from the host to calculate the authentication CRC value. The host uses the polynomial coefficients, seed, and device ID it has in memory, along with the 32-bit random challenge that it sent to the authentication device to calculate the authentication CRC value. When the host and the authentication device have completed the calculation, the host reads the authentication CRC value from the authentication device and compares it to its own value. If the values match, the battery pack is authenticated and the host can initiate the system start command and communicate with other devices in the battery pack such as a gas gauge. If the authentication fails, the host may provide a warning signal to the end user and not initiate the system start command. Fig. 5 shows the battery pack typical application circuit with the bq26150, CRC based battery authentication. The authentication chip has an internal regulator powered by the communication line and it can communicate to the gas gauge IC. If the authentication fails, the host may not allow charging the battery and provide a warning signal to the user. The CRC based authentication provides a simple and cost effective solution to authenticate battery packs for end equipment. PACK+ HDQ R1 5 kω bq26150 HDQ HDQP R2 100 kω BAT VCC SRP + VSS PWR HDQ R SNS VSS C1 0.1 μf VSS SRN bq27000 Protector TS RT: 103AT PACK- Fig. 5. Response CRC based authentication block diagram. 3-5 Battery Pack

6 V. CHALLENGE AND RESPONSE SHA-1 BASED AUTHENTICATION IMPLEMENTATION In order to achieve high level of authentication, a more sophisticated algorithm such as SHA-1/HMAC can be used. The SHA-1/HMAC has been used for a number of years to authenticate Internet transactions for Virtual Private Networks, banking, and digital certificates. The algorithm used in SHA-1/HMAC is iterative. One way hash functions can process a message to produce a condensed representation called a message digest. It enables the determination of a message s integrity. Any change to the message results in a different message digest with a very high probability. This property is useful in the generation and verification of digital signatures and message authentication codes. Fig. 6 shows the block diagram of the bq26100, a SHA-1/HMAC based authentication device. The authentication principle is similar to the CRC based except the algorithm is different. To authenticate a battery pack, the host generates a 160-bit random challenge and transmits to the authentication device. Both the host and the authentication device combine the plaintext version of the 128-bit secret along with the 160- bit random challenge to calculate the authentication digest value. The 128-bit secret can be stored in secure memory on the host or read in encrypted form from the authentication device for decryption at authentication time. As with the CRC based device, the encryption/ decryption method for the secret is up to the discretion of the system designer. When the host and the authentication device have completed the calculation, the host reads the authentication digest value from the authentication device. It then compares to its own value. If the values match, the battery pack is authenticated. Otherwise, the host may not initiate the system start-up command or provide a warning signal to the end user. Since there is a 160 bit random challenge, it generates possibilities. This significantly improves the security level. However, SHA-1/HMAC algorithm requires more memory, which increases the cost. Private Non-Volatile Memory 128-bit Plaintext Key Public Non-Volatile Memory 128-bit Encrypted Key 1024-bit General Use HOST Communication SHA-1/HMAC Authentication Public RAM 8-bit Control 160-bit Challenge 160-bit Digest Power Control Fig. 6. Challenge and response SHA-1/HMAC based authentication diagram. 3-6

7 VI. CONCLUSIONS As portable products become more commonplace, techniques need to be put in place to ensure that batteries and peripherals used by those products meet the original manufacturer s safety requirements. The selection of a battery authentication depends on the security level needed and cost for the applications. The simple ID authentication is cheapest, but can be replicated easily. The challenge and response based authentication techniques are more expensive. However, they have highest security and are good for the highend portable applications. 3-7

8 VII. APPENDIX A. Cyclic Redundancy Code (CRC) Computation Example An 8-bit CRC is used here as an example to show how to calculate a CRC value. Assume the CRC seed (Initial CRC value) is 0x00, and initial CRC data input, or the first byte of the challenge, is 0x0F. The CRC polynomial is 1+x 4 +x 5 +x 8, where x 8 only indicates that it is an 8-bit CRC. This polynomial coefficient is represented as 0x8C. Here are four steps to calculate the CRC value. Step Action 1 Compare LSB of the CRC value with CRC data. 2 If they are not equal, then shift right both values and then add polynomial coefficient to CRC value with XOR after being shifted. 3 If they are equal, shift right CRC value and CRC data. 4 Repeat procedure until 8 sets of LSB bits have been compared. 5 The last CRC value is final CRC value Table 1 shows step-by-step CRC calculation based on the assumptions above. The expected final CRC value is 0x41. Table 1 shows step-by-step CRC calculation based on the assumptions above. The expected final CRC value is 0x

9 TABLE 1: STEP-BY-STEP CRC CALCULATION Byte Action Bit 7 Bit 6 Bit 5 Bit 4 Bit 3 Bit 2 Bit 1 Bit 0 CRC Seed Initial Data value Initial Data value After 1st shift CRC After 1st shift Poly CRC After Adding Data value Data value After 2nd shift CRC After 2nd shift Poly CRC After Adding Data value Data value After 3rd shift CRC After 3rd shift Poly CRC After Adding Data value CRC After 4th shift Data value After 4th shift CRC After 5th shift Data value After 5th shift CRC After 6th shift Data value After 6th shift Data value After 7th shift CRC After 7th shift Poly CRC After Adding Data value Data value After 8th Shift CRC After 8th Shift The steps for CRC computation outlined above can also be expressed in pseudo-c code as shown in Table 2. TABLE 2 PSEUDO-C CODE FOR CRC GENERATION for (i = 0; i < 8; i++) { if (crc[0] ^ input[i]) crc = (crc >> 1) ^ poly; else crc = crc >> 1; } 3-9

10 B. System Level Flow for Challenge/Response Based System If the Host has prior knowledge of the plaintext secret stored in the Responder: Step Action 1 Host microcontroller generates challenge of appropriate length and transmits it to the Responder. 2 Host issues authentication command to the Responder. 3 Host computes the expected response based on the generated challenge, known plaintext secret, and the authentication algorithm. 4 Host queries Responder for authentication response. 5 Host compares the response from the Responder to the expected response computed locally. If the Host does not have prior knowledge of the plaintext secret stored in the Responder: Step Action 1 Host microcontroller generates challenge of appropriate length and transmits it to the Responder. 2 Host issues authentication command to the Responder. 3 Host reads the encrypted secret from the Responder. 4 Host decrypts the encrypted secret to recover the plaintext secret. 5 Host computes the expected response based on the generated challenge, known plaintext secret, and the authentication algorithm. 6 Host queries Responder for authentication response. 7 Host compares the response from the Responder to the expected response computed locally. 3-10