3.2.1 Symmetric Keys

The parent symmetric secret key is stored in Slot 3 of the data zone and is 32 bytes (256 bits) in length. This key is based on SHA-256 cryptography and provides 128 bits of key strength. For the host (SHA105) device, the parent symmetric key must always be programmed into the device. For the client device, either the parent or a diversified key may be programmed into Slot 3.

For enhanced symmetric security, it is recommended that a host side security device be added to the system and that diversified keys be used for the disposable/accessory device. Diversified keys are generated by the provisioning system, by hashing a common parent key, with the unique serial number of each of the disposable device and some additional information. The host device securely stores the parent key. With the help of the host microcontroller, the serial number from the disposable device will be read, loaded into the host security device and the diversified key of the disposable is regenerated. Once this has been done, a random challenge can be initiated and MAC/CHECKMAC operations can be performed to verify the authenticity of the disposable device in a highly secure fashion.

Storing the parent key in a secure host device makes it more difficult to compromise the security of the system. Utilizing diversified keys, limits any security exposure to an individual disposable device. Because the host regenerates the diversified key from a disposable device it is not limited in terms of the disposable devices it can be used with. The SHA105 has the ability to regenerate and authenticate the diversified key of the client device when the Parent key is stored in Slot 3. The TPDS tools can assist with this process.

I/O Protection Key

For the SHA105, Slot 0 may be configured with an I/O Protection key. This key can be used to generate the MAC response for the CheckMac command.