Forum Rule: Always post complete source code & details to reproduce any issue!
Results 1 to 3 of 3

Thread: How to build a fairly secure way to authenticate/license product

  1. #1
    Junior Member
    Join Date
    Oct 2018
    Location
    Poland, Cracov
    Posts
    14

    How to build a fairly secure way to authenticate/license product

    Hi,

    So as the topic stated I want to be sure that:

    1. the device which I am selling will be used untouched as I provided it - same hardware with same software which authenticate the product itself, and
    2. store some persistence licence info about the customer and product number - make device uniquely traceable.


    All this concerning the usage of Teensy 3.6 (it can also be 3.2 or 3.5) connected to linux machine which runs user application.

    My thoughts:

    1.
    Firstly I wanted to use the MAC address. For example I get the address from controller compare it with data stored in user app side and then unlock the device. But in my case - I am buying the mian chip and bootloader chip separately so the MAC is useless (factory set to FF:FF:...:FF). Then I wanted to use the Serial number however after some conversation with Paul, the serial number also seems to be useless.

    However however, the serial number alone probably isn't a useful way to check for authenticity, since it's easy to craft a USB device which simply sends the same descriptors
    Another question is the uniqueness of the serial number assinged by bootloader - I made new thread for that - https://forum.pjrc.com/threads/56884...717#post209717

    2.
    • I will use the option of blocking access to flash memory (FSEC set to secured), so I can flash program with already provided customer data and product number and AFAIK I can feel safe as secure as the NXP system is - tell me if I am wrong. I can make special app for this purpose to automate the build process with customer data provided from app and store that in some company internal database as well. So it not inconvenient for me.
    • However 2a will generate new .hex file - not good in my case. I would like rather keep one .hex and provide the customer data externally from special app using my custom protocol over USB in "factory safe conditions". For example if I flash the program for the first time, I can enter the data once and after this process the access is blocked by setting some data in EEPROM. Which one is better in security terms? Or maybe there is a better solution? I'am aiming also at automation of the process but it is not the issue due to small forecasted annual sale.


    And finally if something goes wrong (different hardware, check for license failed etc.) the device should not start - application that control the device should show error etc.

    I image that during the in company setting-up process the hardware and software should be somehow securely and permanently paired with user application once. So as I wrote I am thinking about combining the hardware id's with some product specific description provided in firmware. I am waiting for your opinions and suggestions.

    ~Matthew

  2. #2
    Junior Member
    Join Date
    Oct 2016
    Posts
    2
    Hi,

    if you are still able to modify your circuit you could add a preprogrammed UID chip.
    Those have got an unique serial number already programmed in a Read-Only portion, therefore there is no way to overwrite it.
    This way you can store all the serial numbers of your official products and:
    • If someone wil be able to replicate your hardware you will be able to identify that by crosscheck your SN database.
    • You will be able to provide a restore feature to the end user as a firmware rewrite procedure won't wipe an SN data as these are "outside" the main MCU
    • You will be able to use the same method with different MCU even with different architectures as long as the chip library can be compiled


    Hope this will help you solve this issue.

  3. #3
    Junior Member
    Join Date
    Oct 2018
    Location
    Poland, Cracov
    Posts
    14
    Quote Originally Posted by Icearrow View Post
    if you are still able to modify your circuit you could add a preprogrammed UID chip.
    Those have got an unique serial number already programmed in a Read-Only portion, therefore there is no way to overwrite it.
    It's still a work-in-progress so that can be done. Thanks for the advice. Do you know or can you recommend any chips?

    However, the more I read about it the more I think that the unique serial number is only 50% of the work. The other half is end-to-end encryption, at least for the time of key exchange or authorization.

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •