Mono-what Counter?

By Lance Dover - 2013-09-10

Today, we’ve released the industry’s first SPI Flash memory device available with an integrated replay-protected monotonic counter (RPMC). A what, you say?

To understand what the RPMC is, you must first understand some of the fundamentals of cryptography. By practical and modern definition, cryptography is the secure transmission of information. By most metrics, it involves one or more basic characteristics associated with a transmitted message: privacy (confidentiality), integrity, authenticity, and non-repudiation. A digital signature is an example of a cryptographic capability that provides three of these four functions. When a message is digitally signed, the recipient can be confident that he or she knows who the message came from (authenticity), knows that the message is intact and unmodified (integrity), and knows that the sender can’t deny who sent the message (non-repudiation).

When this same signed message is transmitted, it’s also very important that the message can’t be “replayed.”  Consider a message that transmits funds from account A to B. Although digitally signing this message as noted above would be quite prudent, it’s not sufficient. Without some method to prevent the message from being replayed, an adversary could repeatedly deposit funds from A to B using the same original message.

To eliminate the possibility of replay, “freshness” must be added to the message. Freshness ensures that any message is unique and can be detected as such. Freshness is generally achieved in one of three ways:  incorporating a random value (called a nonce) into the message, adding a timestamp to the message, or adding a count value that is guaranteed to always increase (i.e., to be monotonic). By correctly adding freshness using one of these techniques, any attempt to reuse or replay the original message can be identified by the recipient and discarded.

While freshness techniques all have their place in cryptography, they also have pros and cons. A nonce is probably the most common method to guarantee message freshness, but it also requires a quality source of truly random or pseudorandom numbers. A random nonce also cannot provide any temporal relationship between separate values. Timestamps can be effective in certain situations, but they generally require a synchronized time base between sender and recipient. A monotonic counter needs neither of these things, but depending on the implementation, the count can be predictable. Determining which freshness technique is most suitable to the task at hand is cryptosystem-dependent.

An effective monotonic counter implementation must be nonvolatile and, therefore, immune to power loss in case it’s reset or corrupted. Many embedded systems utilize a real-time clock to provide a monotonic counter for cryptographic freshness or for the purpose of anti-replay.

Micron’s RPMC has no such weakness because its count values are internally managed using Flash memory techniques that prevent corruption resulting from power loss. In addition, our RPMC is designed to ensure monotonicity of the count values and may only be used by an authenticated party.

Our RPMC actually exposes four separate counters that are HMAC-signed by individual secret keys. In this way, the system utilizing each counter can verify the integrity and authenticity of the count values it receives. With this confidence, the system can then utilize the values as a source of freshness for messages or other information that must be transmitted or stored with replay immunity.

With the RPMC integrated into our industry-standard SPI Flash device, system designers now have more robust capability to protect the integrity of their code and data.

Lance Dover

Lance Dover