How do you protect your products so counterfeiters cannot copy and sell an equivalent product for a lot less money? Counterfeit products – from complete motherboards, to battery packs, to servers – can cause all sorts of problems and tarnish a legitimate manufacturer's reputation.

Now by adding a small 3-pin IC to a circuit board you can ensure its authenticity and reject any counterfeits. The Atmel AT88SA102S chip does the trick because it includes a Secure Hash Algorithm-256 (SHA-256) crypto "engine" that will authenticate the product in which it resides. In operation, a host system "challenges" the device with a 256-bit random number, The chip hashes that number with a 256-bit key and generates a 256-bit response that it sends back to the host. (The chip comes in an SOT23 package, uses a 1-wire serial interface, and costs $US 0.66 each in 100-piece quantities.)

The high level of security provided by the SHA-256 algorithm prevents anyone from using a brute-force method to hack the chip and duplicate its function to "spoof" a host controller. Counterfeit products that lack a chip programmed with your unique key become easy to detect.

I tried a small evaluation board from Atmel that includes an AT88SA102S CryptoAuthentication chip. The USB eval board, part number AT88SA-ADK1, costs $US 19.95. You'll find a data sheet for the AT88SA102S chip, demo software, and more information at: www.atmel.com/Rhino. You must register on the Atmel site to access demo software, firmware, and Gerber files.

The USB eval board comes in a small container with simple instructions. You download software from the Atmel Web site.

According to the AT88SA102S data sheet, almost all security techniques use one of the following key-management strategies:

1. The host stores a fixed challenge-response number pair. The host sends its challenge but only an authentic CryptoAuthentication chip can generate the correct response. Since the host saves no "secret" information, you incur no security cost on the host. Each host may have a different challenge response pair and/or each client may have the same key.
2. The host computes the response that a given client should provided for a random-number challenge. In this case, the host must protect the algorithm used to produce the expected response. To do this, you can use a CryptoAuthentication chip on the host, too.

Atmel provides more information in its “CryptoAuthentication Product Uses” applications note.

Atmel preprograms a manufacturer's ID value and a unique serial number in each device and the chips come with preset internal keys that users – and hackers – cannot read. Secret fuses in each IC let a product manufacturer set its own 64 bits that augment the preset keys. You can find more details in the AT88SA102S data sheet.

When I used the demo program, I entered eight ASCII characters (asdfghjk) to create the 64 secret bits I burned permanently into the chip on my USB stick. To test the chip, the PC-based demo program would generate a 256-bit random number or I could enter a 256-bit value (as ASCII codes in the demo) to test the authentication process.I tried both approaches.

The chip also includes 23 non-secret status bits a company can use for its own purposes – perhaps to track a firmware version or to enable/disable features. These bits could let a supplier track product use, too.Perhaps the host controller could burn one fuse after every 1000 uses of the product, after every 10,000 hours of operation, each time someone replenishes supplies, whenever operating temperature exceeds a specified value, and so on.

This versatile chip offers developers a lot of security in a small package. It's worth investigating further unless you figure it's OK for others to rip-off your designs.

-- Jon Titus