Embedded Intelligence Enables Digital Authentication in Medical Devices
• Electronics • Technical Articles • South-East European INDUSTRIAL Мarket - issue 4/2012
Jonathan Dillon, Microchip Technology
Introduction
It is critical that replaceable or disposable accessories for medical devices have a method of proving that the correct accessory, or attachment, is being used. If incorrect accessories are accidentally used, such as accessories designed for another model of the same equipment, or for another manufacturer’s equipment, thiscould cause safety issues. Furthermore, the reuse of disposable accessories may result in inferior performance and is likely to be unsanitary. Counterfeit accessories also pose a serious threat as they may not be designed to the same standards and could have significantly inferior performance.
Digital authentication can provide a high degree of certainty that a medical device accessory is both correct and genuine but has minimal impact on the design. The system can respond in a manner prescribed by the system’s designer once it has discovered that an accessory that does not authenticate successfully. The response can vary from simply informing the user that the accessory failed to authenticate through to preventing the system from operating.
Digital authentication
Simple ID systems to the exchange of digital signatures both encompass the full range of digital authentication schemes range from. Digital authentication requires embedded intelligence in the system and in the authenticated accessory at a hardware level. An embedded processor will already feature in many modern systems and that can be used to control authentication and a processor in the accessory can be revised to implement authentication. The addition of a small, low-cost, low-power microcontroller is relatively easy if an authenticated accessory doesn’t contain any embedded intelligence.
A bi-directional communications channel between the system and the accessory to allow the exchange of data is another physical requirement. The system and the accessory may use an existing communications channel or a channel within the equipment could be extended to enable communication with the accessory. UART, I2C, SPI and single-wire protocols (such as the UNI/O protocol) could all be employed if a communications channel needs to be added, due to the limited number of connectors, low protocol implementation requirements and wide range of devices with hardware support. RFID may be suitable for some medical applications, since it does not require external electrical connections. This simplifies cleaning and sterilization as the accessories and systems can be sealed.
ID transmission can deliver simple authentication as the accessory identifies itself to the system when requested. Theaccessory’s microcontroller can be replaced by a serial EEPROM with a stored ID that is read by the system using this scheme. Issues such as the use of incorrect accessories or accidental reuse by storing data that indicates the accessory has already been used can be prevented with ID transmission. However, the security level is very low, since counterfeiters need only replay the ID recorded from a valid accessory.
Challenge response/authentication and its derivatives offer a more secure solution. In this scheme, the system asks the accessory a question to which only an authentic accessory has the answer. The authentic accessory answers correctly, while a counterfeit is discovered and handled appropriately by the system.
Figure 2 demonstrated how Challenge/Response authentication employs several stages in a typical implementation.
1. The system generates a random number, or challenge.
2. The challenge is transmitted to the accessory.
3. The accessory modifies the challenge in a pre-arranged, non-obvious way to create the response.
4. The accessory transmits the response to the system.
5. The system retains a copy of the challenge and modifiesit to determine the ideal response.
6. The system compares the ideal response with the accessory’s response.If they match, the accessory is authentic.
The system needs to allow a wide range of challenges to defend against counterfeiters generating a look-up table of authentic responses for secure authentication. As well as making the cost of storing large tables uneconomical for counterfeiters, computing the response on the fly, rather than storing the responses in the accessory, reduces the storage requirements.
In a deterministic digital system it is not a simple task to generate random numbers in the system for use as challenges. Few external measurements are truly random, unpredictable and evenly distributed, and a limited number of potential challenges reduces the number of responses to be stored by counterfeits. A pseudorandom number generation algorithm is a more robust method with each system having a unique seed number, possibly using a modified form of the system serial number. Validated pseudorandom number generation algorithms produce a non-repeating sequence of numbers that is evenly distributed across their potential range of output values. The seed value used to initialize the algorithm determines the sequence of output values, and each system should have a unique seed value so as to produce a unique number sequence.The variables of the algorithm should be stored in non-volatile memory so their values are retained when power is removed from the system to prevent the algorithm from being reinitialised and repeating the same number sequence.
Encrypting the challenge or passing it through a one-way math function, called a secure hash can deliver the modification of the challenge. In both cases, the modification is being non-obvious and does not produce any identifiable trend in output for sequential inputs. The modification needs to be non-obvious because the challenge and responses can be monitored by eaves dropping on the communications channel. Attempting to determine the modification by encryption and secure hash algorithms requires excessive numbers of calculations and large number of challenge-response pairs. AES, TDES and XTEA are symmetrical, block-based encryption ciphers suitable for microcontroller-based authentication because they require little RAM and program space, and are computationally efficient. These features enable the use of a low-cost microcontroller and their efficiency means an encryption can be performed by executing a relatively low number of instructions. This reduces the overall current by allowing the microcontroller to be placed in a low-power state on completion. Block-based ciphers encrypt a number of bytes at a time and produce a matching size result. All three encryption ciphers are in the public domain, have withstood international analysis of their security and their encryption strength is believed to be well understood. Secure hash algorithms are similar to a checksum of the challenge, with a secret value intermixed, which provides a method of determining whether the calculations were performed by an authentic device. Hash algorithms, unlike encryption, are not a one-to-one mapping. The original input cannot be recovered from the result, as it could be produced by more than one set of input data. Secure hash algorithms such as HMAC-SHA-1 and HMAC-SHA-256 are suitable, although they do require far more RAM and program memory to implement, necessitating a more expensive microcontroller.
The modification method for input data is determined by a key for both secure hash and encryption algorithms. The key, and not the encryption ciphers selected determine the security of the system and therefore must be kept secret. This method, known as Kerchoff’s principle, states that knowing which algorithm is used does not negate the security because the key determines how the input is modified. To ensure the key cannot be simply read-out and is kept secret, it should be maintained in system memory, such as on-processor flash or EEPROM. This can also be achieved by storing the key in the microcontroller’s on-chip memory and enabling security features to block it from being downloaded prevents key identification. In each instance, the handling and knowledge of keys during system design and in production environments should be carefully managed to prevent disclosure.
Varying-sized keys can be supported by some algorithms, whilst larger keys offer increased security at the cost of additional calculations and resources to perform encryption. All encryption schemes are vulnerable to a brute-force attack. Using a known pair of input and output data,the input is encrypted with a progressive sequence of keys until a matching output is produced. Despite the fact that this can require considerable calculations even for smaller keys, the steadily increasing computing power available means that it is worthwhile to implement the largest key possible for the suitable range of microcontrollers, since the number of keys grows exponentially with the size of the key, thus increasing the time required for a brute-force attack. Keys should be chosen randomly to make it less probable for a brute-force attack to find the key early in its attempts. Although it is mathematically possible for a brute-force attack to find the key on its first attempt,it is in reality highly unlikely given the huge number of possibilities.
In order to hinder an attack, it is possible to sufficiently increase the time required to generate tables of authentic responses. Implementing time-outs, such as five seconds between authentication, and placing limits on the maximum acceptable data rate for communications, which limits how frequently challenges can be received both achieve this goal. Once the size in bits of challenges exponentially increases the table size, storage becomes prohibitively expensive for counterfeits. There are also methods for challenges larger than the cipher block size. Periodic re-authentication can prevent the system from being started with an authentic accessory and then another being swapped in post-authentication.
Challenging multiple accessories in parallel will reduce the time required to generate a table of good responses. However, the table will still require large volumes of storage and the time required may still be significant.
Equipping each authenticated accessory with an individual encryption key is an enhancement which gives each accessory its own unique response to a challenge but requires the system to either store the encryption keys for all authenticated accessories or to be able to derive the required key. Both methods require the accessory to have a serial number in order to identify the key required, but deriving the required key is more efficient from a storage viewpoint. The system delivers this with the encryption of the serial number of the accessory using an extra-secret master key, as shown in Figure 3. The result of this operation is used as the encryption key for authentication. If the master key is compromised, the scheme is unable to detect duplicates so measures must be taken to safeguard the master key. Only the system must retain the key, as the serial numbers of accessories are known during their manufacture and the secret master key has already been determined, which fixes the encryption key for each accessory. Therefore, accessories need only be programmed with their serial number and their encryption key and do not require the master key.
The advantage of this scheme is that multiple devices cannot be challenged in parallel, since each will have different responses. Also, should an authenticated accessory be compromised, only clones of this accessory with identical serial numbers can be produced. Systems may be able to blacklist this serial number once it has been detected.
An accessory’s serial number can be recorded automatically by the system with the addition of digital authentication and allows the management of recalls and enforcement of expiration dates if they are incorporated into serial numbers. Digital authentication uses encryption as a modifier and decryption is not implemented. However, decryption can require similar resources and code segments, making the addition of secure communications between the system and accessory possible. Additional data can be stored in the non-volatile memory inside the microcontroller, tightly binding calibration with the accessory and allowing usage data to be recorded.
Summary
The safety of medical accessories can be improved by digital authentication in a number of ways - the prevention of accidents, lapses in unsanitary re-use of disposable accessories and the propagation of counterfeit accessories, whilst also protecting revenue streams. Small, low-cost and low-power microcontrollers can easily meet the hardware requirements. There are a number of existing communications channels that can be used. Encryption block ciphers require minimal RAM, and can be implemented easily in a small microcontroller.
Keywords: medical devices, replaceable, disposable, ccessories, Jonathan Dillon, Microchip Technology
LATEST issue 1/2025
