Implementing secure authentication without being a cryptography expert

November 30, 2016 // By Christophe Tremlet
Today, digital security is one of the most hyped topics in electronic design. For many engineers, encryption is probably the first word that comes to mind when they think about security. Probably only a few think initially about authentication.

However, authentication is a fundamental function of secure devices or transactions. Let’s take the example of home banking. Clearly, you’d want confidential information such as balances and account numbers to be encrypted. This is what happens when your internet browser displays the green lock with https://.

That said, the first thing the internet browser checks when establishing a secure connection is that the bank website is genuine; in other words, it authenticates the bank website. Indeed, sending login and password information to a mock-up site would be extremely harmful, as these credentials can be further re-used to run any kind of unauthorized transactions on behalf of an unsuspecting bank account holder. Secure internet browsing is generally achieved through the TLS/SSL protocol, which ensures authenticity and confidentiality.

Authentication is also important for Internet of things (IoT) applications: an untrusted endpoint could put a whole infrastructure at risk. Let’s consider smart meters connected to the electrical power distribution system. An easy way for an attacker to disrupt the grid is to load a virus or malware in the smart meters. Infected meters could then send fake messages to the infrastructure reflecting a power consumption largely different from the actual one. The grid would then become unbalanced; worst case, the attack could trigger a full power outage. In order to avoid this situation, both the hardware of the meter and its firmware must be verified as genuine. The process of authenticating the firmware is called secure boot.