MEMS/传感技术
White Paper 7: Thermochron Mission Authentication and Security
Abstract: The applications for the Thermochron range from shipping monitoring of perishable goods or containers of temperature-sensitive chemicals to process verification. The authenticity of the temperature measurements are important since they could be used to prove shipping mishandling or provide documentation of a correct process control. The Thermochron has several built-in hardware mechanisms that can be utilized to detect tampering of the temperature-gathering mission. Further validation of the mission can be easily added by utilizing the user-programmable memory to hold a Mission Validation Certificate.
The Thermochron is an autonomous temperature-logging device in a small 16mm steel iButton® container. It has an internal energy source that is valid for typically well over one million temperature readings. The recording is done at a user-defined rate, both as a direct storage of temperature values as well as in the form of a histogram. Up to 2048 temperature values taken at equidistant intervals ranging from 1 to 255 minutes can be stored. The Thermochron also has 512 bytes of user-programmable memory.
The applications for the Thermochron range from shipping monitoring of perishable goods or containers of temperature-sensitive chemicals to process verification. The authenticity of the temperature measurements are important since they could be used to prove shipping mishandling or provide documentation of a correct process control.
A Thermochron that has gathered temperature data is said to have been on a mission. This document explains the Thermochron's build-in hardware protection and how to augment the validation of a given temperature mission with a certificate stored in user memory.
(Special terms, commands, or codes are shown in italics for clarity.)
Thermochrons have hardware mechanisms to detect tampering of a temperature mission. The log, histogram, and alarm register memory is read-only. The only way data gets into these memory locations are through temperature measurements performed by the device. When missioning a device, a required step is a memory-clear operation. Also the mission count register indicates which portion of the logging memory is valid. With these mechanisms there is never the possibility of reading old or invalid data in the memory.
Note that the alarm flag bits indicating a violation of the temperature high or low trip points can be cleared during a mission. This is to allow an iButton reader to clear the event until the next check. However the temperature alarm register that logs the duration of the temperature violation cannot be cleared without erasing the entire memory so should be used as the 'flag' for the entire mission.
Attempting to write to any of the read-only control registers will automatically stop an ongoing mission. If someone were to attempt to defraud a system by hiding temperature violations the only option available would be to stop and erase the old mission and then start a new one. If the mission is restarted then the mission time stamp register and the sample rate register will be rewritten. The histogram and log will be cleared. Consequently the mission will contain a lower than expected number of log values. This leads to the question: how does the recipient of a missioned Thermochron know if a valid agent started the mission?
While the hardware mechanisms that are present in the Thermochron will prevent altering an ongoing mission there is no way to conveniently decide that it was a valid mission. Inserting a certificate into user memory at the time the mission is started can solve this. A certificate format must have the feature that it can authenticate that the missioner was a valid agent of a system. There is a well-known cryptographic technique called a message authentication code (MAC) that can validate a message between participants that share a common secret. More specifically a MAC that uses a hash is called an HMAC. The HMAC technique is detailed in ISO/EC 9797-3 and RFC 2104. See Table 1 below presenting the input data fields to the HMAC calculation. The random field is used to make each of the certificates unique. The unique registration number is common to all iButton devices including the Thermochron.
Table 1. HMAC input data
DATA FIELD DESCRIPTION | LENGTH (IN BYTES) |
Secret known to system participants | 20 |
Unique registration number (ROM ID) | 8 |
Mission time stamp register | 5 |
Sample rate register | 1 |
Ramdom field to make each certificate unique (also called salt) | 2 |
OFFSET (ON PAGE) | FIELD DESCRIPTION | LENGTH (IN BYTES) |
0 | Length (1-Wire file structure) | 1 |
1 | Mission start time register | 5 |
6 | Sample rate register | 1 |
7 | Random field (salt) | 2 |
9 | HMAC-SHA1 of input data | 20 |
29 | Page Pointer (1-Wire file structure) | 1 |
30 | CRC16 (1-Wire file structure) | 2 |
The accuracy of the Thermochron is currently specified to be ±1°C over most of the operating range. Dallas Semiconductor does not currently provide NIST traceably validation however an independent testing lab could do this and utilize the user programmable memory area to save the NIST certificate.
Restricting physical access to the device can mitigate the risk or even the temptation of tampering of missioned Thermochron. The small size of the iButton package lends itself to inserting the entire logger inside shipping containers or even hidden.
The Thermochron has several build-in hardware mechanisms that can be utilized to detect tampering of the temperature-gathering mission. Further validation of the mission can be easily added by utilizing the user-programmable memory to hold a Mission Validation Certificate.
Future versions of the Thermochron family will have additional read and write password protection to help secure against tampering.
1-Wire is a registered trademark of Maxim Integrated Products, Inc.
iButton is a registered trademark of Maxim Integrated Products, Inc.
全部0条评论
快来发表一下你的评论吧 !