Mitsubishi DS907x SIP, DS5000TK Encryption Algorithm, Encryption Key Selection and Loading

Encryption Algorithm

The Secure Microcontroller family uses a proprietary algorithm to encrypt memory. The DS5000FP and DS5002FP use different encryption algorithms. They are the result of improvements made over time in the proprietary encryptor circuits. The original DS5000FP (circa 1988) has the first version of encryptor. This was soon improved with a second version encryptor in 1989, and remains in production today. A substantial improve- ment was made in the DS5002FP, which uses a wider Key and a more non±linear algorithm. The DS5002FP memory encryptor uses elements of the DES (Data Encryption Standard) although not the entire algorithm. Full DES is impractical as memory encryption must be performed in real±time on a one±to±one substitution and not a block cypher basis. The encryption algorithm is supported by the fact that both address and data are encrypted, the algorithm and key are both secret, the most critical data can be stored on chip in vector RAM (discussed below), and the bus activity is scrambled using dummy access (discussed below). For this rea- son, a security analysis of the DS5002FP is not simply a mathematical treatment of the encryption algorithm.

Encryption Key

The DS5000FP uses a 40±bit Encryption Key that is stored on±chip. As mentioned above, the Key is the basis of the encryption algorithm. The resulting physical addresses and data are dependent on this value. Tam- pering with or unlocking the microcontroller will cause the Key to be instantaneously destroyed. If the memory contents are encrypted, they become useless without this Key. A user selects the 40±bit Key and loads it via the Bootstrap Loader. Selecting this Key enables the encryption feature. The DS5002FP uses a 64±bit Key. It is similarly stored on±chip in tamper resistant circuits. In much the same way, this Key is the basis for the physical values that are presented on the bus. Using a wider Key gives the encryption more complexity and more per- mutations that must be analyzed by an attacker. Apart from the width of the Key and complexity of the encryp- tor, the principal differences between the DS5000FP and DS5002FP are discussed below under Key Selec- tion and Loading.

Encryption Key Selection and Loading

One of the significant differences between DS5000FP and DS5002FP lies in Encryption Key Management. In the case of a DS5000FP, the user must select a 40±bit

Key during program loading. This Key must be selected prior to loading the microcontroller, as the memory will be encrypted as it is loaded. The Key selection process must be protected since an attacker that learns the Key can reproduce the user's code. This would be done by loading the correct Key in an unlocked DS5000FP, attaching the encrypted memory chip, and dumping the code using the Bootstrap Loader.

The DS5002FP provides an improved Key manage- ment system. The microcontroller chooses its own 64±bit Encryption Key from a number that is internally generated and secret. The Keys come from a true hard- ware random number generator. It is based on fre- quency differences between two on±chip ring oscilla- tors and the user's crystal. At any time, it is unlikely that any two DS5002FPs have the same key with 264 (1.84 * 1019) combinations. There is no method to discover the Key value. No attacker can force the DS5002 to a partic- ular Key. In addition, no one can ªforgetº to enable the encryptor, since it is always enabled. An additional advantage of the secret Key is that an attacker can not ªcharacterizeº the encryptor by repeatedly loading known Keys and observing the result.

As mentioned above, encryption is always enabled on the DS5002FP. Each time the Bootstrap Loader is invoked, a new random number is prepared. If a Fill, Load, Dump, Verify, or CRC command is requested, the Loader selects the random number as a new Encryption Key prior to accessing the memory. Execution of a Load or Fill command will result in a the data being loaded in an encrypted form determined by the value of the new- ly±generated Key. Any subsequent Dump, Verify, or CRC within the same Bootstrap session will cause the contents of the encrypted RAM to be read out and prop- erly decrypted by the micro. Once a new Key is loaded, it will allow all commands to work properly within the same Bootstrap session since memory access is done using the correct Key. Exiting and re±entering the Bootstrap Loader, then doing a Dump will not work since this action would first result in Loading a new Encryption Key. The microcontroller would no longer be able to decrypt the RAM contents. This extra precaution is used regardless of the Security Lock. It prevents an attacker from retrieving memory through the Bootstrap Loader even if the programmer forgets to lock the DS5002FP. Once the Security Lock is set, all Bootstrap Loader access to the memory is prohibited.