Digital authentication can provide a high level of certainty in determining whether a medical device accessory is correct and genuine, but with minimal design impact. The system may respond in the manner intended by the system designer upon detecting that an accessory does not have proper authentication. The response can range from simply notifying the user that the accessory has failed to authenticate to preventing the system from working.
digital authentication
From simple identification systems to the exchange of digital signatures, the entire range of digital authentication techniques is covered. Digital authentication requires intelligence built into the system and the authenticated accessory at the hardware level. Many modern systems already incorporate an embedded processor that can be used to control authentication, and in accessories a processor can be in charge of checking the authentication implementation. Adding a small, low cost, low power microcontroller is relatively easy if the authenticated accessory does not contain any embedded intelligence.
Another requirement is a two-way communications channel between the system and the accessory to allow data exchange. The system and accessory can use an existing communications channel or take advantage of a channel included in the equipment that could be expanded to allow communications with the accessory. UART, I2C™, SPI, and single-wire protocols (such as the UNI/O® protocol) can be used if a communications channel needs to be added, due to the limited number of connectors, few requirements for protocol implementation, and the wide range of devices with hardware support. RFID could be suitable for some medical applications because it does not require external electrical connections. This simplifies cleaning and sterilization as accessories and systems can be airtight. Transmission of the identification can provide easy authentication as the accessory identifies itself to the system when prompted. The accessory microcontroller can be replaced by a serial EEPROM with a stored identification that is read by the system using this technique. Problems such as the use of the wrong accessories or accidental reuse by storing data indicating that the accessory has already been used can be avoided with the transmission of identification. However, the level of security is very low as counterfeiters only have to reproduce the saved ID on a valid accessory.
A question and answer/authentication system and its derivatives offer a more secure solution. With this technique, the system asks a question for which only an authentic accessory can answer. The authentic accessory responds correctly, while the counterfeit one is exposed and properly managed by the system.
The following figure shows how the question and answer/authentication system employs various stages in a typical setup.
1. The system generates a random number, or question.
2. The question is transmitted to the accessory.
3. The plugin modifies the question in a preconfigured and non-obvious way to create the answer.
4. The accessory transmits the response to the system.
5. The system keeps a copy of the question and modifies it to determine the ideal answer.
6. The system compares the ideal response to the response of the accessory. If they match, the accessory is authentic.
The system needs to allow a large number of questions to defend against forgeries that generate an automatic response table for secure authentication. In addition to making the cost of storing large tables uneconomical for forgers, calculating responses on the fly, rather than storing responses in the fixture, reduces storage requirements.
In a deterministic digital system it is not easy to generate random numbers in the system to use as questions. Few external measures are truly random, unpredictable, and evenly distributed, and a limited number of potential questions reduces the number of responses that counterfeiters have to store. A pseudorandom number generation algorithm is a more robust method in which each system has a unique source number, possibly using a modified form of the system serial number. Algorithms for validated pseudorandom number generation produce a non-repeating sequence of numbers that is evenly distributed over the full potential range of output values. The source value used to start the algorithm determines the sequence of output values, and each system should have a single source value, such that it produces a unique sequence of numbers. Algorithm variables should be stored in non-volatile memory so that their values are retained when system power is removed to prevent the algorithm from reinitializing itself and repeating the same sequence of numbers.
Encrypting the question or passing it through a one-way math function, also called secure shuffling, can provide question modification. In both cases, the modification is not obvious and does not produce any identifiable trend to the output for sequential inputs. The modification should not be obvious because the questions can be monitored through illegal access in the communication channel. To determine the modification by encryption and safe shuffling algorithms requires an excessive number of computations and a large number of question-answer pairs. AES, TDES, and XTEA are block-based symmetric encryption ciphers for microcontroller-based authentication because they require little RAM, little program space, and are computationally efficient. These characteristics make it possible to resort to low-cost microcontrollers and their efficiency implies that encryption can be carried out by executing a reduced number of instructions. This decreases the total current by allowing the microcontroller to go into a low-power state upon completion. Block-based ciphers encrypt a certain number of bytes at the same time and produce the result of the same size. All three encryption ciphers are in the public domain, have undergone international security scrutiny, and their strong encryption is estimated to be well known. Safe shuffling algorithms are similar to a query checksum, with a secret value interspersed, providing a method of determining whether the computations were performed on an authentic device. Shuffling algorithms, unlike encryption, do not have a one-to-one configuration. The original input cannot be retrieved from the result since it could be produced from more than one input data set. Safe shuffling algorithms such as HMAC-SHA-1 and HMAC-SHA-256 are suitable but require much more RAM and program memory, as well as a more expensive microcontroller.
The modification method for the input data is determined by means of a key for both secure shuffling and encryption algorithms. The key, and not the selected encryption ciphers, determine the security of the system and therefore must be kept secret. This method, called Kerchoff's principle, states that knowledge of the algorithm used does not negate the security of the system because the key determines how the input is modified. To ensure that the key cannot be easily read and to maintain secrecy, system memory must be preserved, for example in a flash or EEPROM built into the processor. This can also be achieved by storing the key in the microcontroller's onboard memory and enabling security features to block the key identification from being downloaded. In either case, key manipulation and knowledge during system design and production environments must be carefully managed to prevent discovery.
Some algorithms can work with variable-length keys, while larger keys offer greater security at the cost of more computations and resources to achieve encryption. All encryption techniques are vulnerable to a brute force attack. Using a known pair of input and output data, the input is encrypted with a progressive key sequence until the corresponding output is achieved. Although this can be quite computational for even smaller keys, the ever-increasing computing power available means that it pays to include the largest possible key for the right range of microcontrollers as the number of keys grows. exponentially with the size of the key, thus increasing the time it takes for a brute force attack. The keys should be chosen randomly so that a brute force attack is less likely to find the key in a short time. Since it's mathematically possible for a brute force attack to find the key on its first try, it's really highly unlikely due to the enormous number of possibilities.
In order to prevent an attack, it is possible to sufficiently increase the time required to generate authentic response tables. Implementing timeouts, such as five seconds between authentication, and adding limits to the maximum data rate acceptable for communications, which limits how often questions are received, accomplishes this goal. With the question bits in the table increasing exponentially, storage becomes prohibitively expensive for forgers. There are also methods for questions larger than the cipher block size. Periodic reauthentication can prevent the system from being activated with an authentic accessory and then being exchanged with another on post-authentication. Asking questions to multiple props in parallel will reduce the time needed to generate a table of correct answers. However, the table will still require a large volume of storage and the time required would still be significant.
Giving each authenticated accessory an individual encryption key is an enhancement that gives each accessory its own unique answer to a question, but requires the system to store the encryption keys for all authenticated accessories or be able to derive the necessary key . Both methods require the accessory to have a serial number in order to identify the key needed, but deducing the key is more efficient from a storage standpoint. The system supplies it with encryption of the accessory serial number using an added secret master key, as shown in Figure 3. The result of this operation is used as the encryption key for authentication. If the master key is compromised, this method is unable to detect duplicates so steps must be taken to safeguard the master key. Only the system should retain the key, since the serial numbers of the accessories are known during their manufacture and the master key has already been determined, thus establishing the encryption key for each accessory. Therefore, the accessories only have to be programmed with their serial number and their encryption key and do not need the master key. The advantage of this technique is that multiple devices cannot be interrogated in parallel because each will have a different response. Also, in the event that an authenticated accessory may be compromised, only clones of this accessory with identical serial numbers will be achieved. Systems could blacklist these serial numbers once detected.
The system can automatically store a serial number for the accessory by incorporating digital authentication and allows for the management of callbacks and compliance with expiration dates if they have been incorporated into the serial numbers. Digital authentication uses encryption as a modifier and decryption is not implemented. However, decryption may require similar resources and code segments, thus making it possible to incorporate secure communications between the system and the accessory. Additional data can be stored in non-volatile memory within the microcontroller, thus tying the calibration tightly to the fixture and allowing the stored data to be used.
Conclusion
The security of medical accessories can be improved in several ways through digital authentication, thus preventing accidents, lapses in unsanitary reuse of consumable accessories, and the spread of counterfeit accessories, while also protecting the revenue stream. Small size, low cost, and low power microcontrollers can easily meet the hardware requirements. There are various communication channels that can be used. Block ciphers for encryption require minimal RAM and can be easily implemented on a small microcontroller.
