Add Bookmark(s)



Bookmark(s) shared successfully!

Please provide at least one email address.

Micron Blog

Mono-what Counter?

Today, we’ve released the industry’s first SPI Flash memory device available with an integrated replay-protected monotonic counter (RPMC). A what, you say?

To understand what the RPMC is, you must first understand some of the fundamentals of cryptography. By practical and modern definition, cryptography is the secure transmission of information. By most metrics, it involves one or more basic characteristics associated with a transmitted message: privacy (confidentiality), integrity, authenticity, and non-repudiation. A digital signature is an example of a cryptographic capability that provides three of these four functions. When a message is digitally signed, the recipient can be confident that he or she knows who the message came from (authenticity), knows that the message is intact and unmodified (integrity), and knows that the sender can’t deny who sent the message (non-repudiation).

When this same signed message is transmitted, it’s also very important that the message can’t be “replayed.”  Consider a message that transmits funds from account A to B. Although digitally signing this message as noted above would be quite prudent, it’s not sufficient. Without some method to prevent the message from being replayed, an adversary could repeatedly deposit funds from A to B using the same original message.

To eliminate the possibility of replay, “freshness” must be added to the message. Freshness ensures that any message is unique and can be detected as such. Freshness is generally achieved in one of three ways:  incorporating a random value (called a nonce) into the message, adding a timestamp to the message, or adding a count value that is guaranteed to always increase (i.e., to be monotonic). By correctly adding freshness using one of these techniques, any attempt to reuse or replay the original message can be identified by the recipient and discarded.

While freshness techniques all have their place in cryptography, they also have pros and cons. A nonce is probably the most common method to guarantee message freshness, but it also requires a quality source of truly random or pseudorandom numbers. A random nonce also cannot provide any temporal relationship between separate values. Timestamps can be effective in certain situations, but they generally require a synchronized time base between sender and recipient. A monotonic counter needs neither of these things, but depending on the implementation, the count can be predictable. Determining which freshness technique is most suitable to the task at hand is cryptosystem-dependent.

An effective monotonic counter implementation must be nonvolatile and, therefore, immune to power loss in case it’s reset or corrupted. Many embedded systems utilize a real-time clock to provide a monotonic counter for cryptographic freshness or for the purpose of anti-replay.

Micron’s RPMC has no such weakness because its count values are internally managed using Flash memory techniques that prevent corruption resulting from power loss. In addition, our RPMC is designed to ensure monotonicity of the count values and may only be used by an authenticated party.

Our RPMC actually exposes four separate counters that are HMAC-signed by individual secret keys. In this way, the system utilizing each counter can verify the integrity and authenticity of the count values it receives. With this confidence, the system can then utilize the values as a source of freshness for messages or other information that must be transmitted or stored with replay immunity.

With the RPMC integrated into our industry-standard SPI Flash device, system designers now have more robust capability to protect the integrity of their code and data.

Tags: Client, NOR Flash


  • Yi Tsai on November 11, 2015

    Excuse me.... If SPI Flash device receive a replay message or wrong freshness, what restriction will be setting between controller and device? It's confuse me.

  • LANCE DOVER on November 11, 2015

    The relevant situation involves a one-time message that is intended to be transmitted between two parties. Without freshness, the message could be replayed without the recipient knowing that it had already received the message. Freshness can be added to the message’s digital signature to ensure that it is valid only for the original message transmission.

  • LANCE DOVER on November 11, 2015

    The RPMC feature in select Micron flash devices allow for a trusted source of monotonically increasing count values- i.e. the freshness that can be used to incorporate into digital signatures to prevent replay

  • Yi Tsai on November 11, 2015

    Authenticated Command List in Micron Serial NOR Flash Memory spec, command "INCREMENT MONOTONIC COUNTER" transmits counter address and counter data only. This command seems that prevent itself replay only. Will RPMC feature prevent replay for programming and reading?

  • LANCE DOVER on November 12, 2015

    “Increment Monotonic Counter” simply increments the counter. To read the counter data the “Request Monotonic Counter” and “Read Data” commands must be used. This counter data can then be incorporated into other data to prevent replay. The counter itself will not prevent replay of program/read. Rather, the counter data may be used in a way to do this with other data payloads.

  • Yi Tsai on November 16, 2015

    How to use the counter data to prevent replay? Is it define in any specific? Thank you a lot for your attention to this matter.

  • LANCE DOVER on November 16, 2015

    When a message is signed, it provides assurance that it came from the sender’s private key. By extension, this provides assurance that the message came from the intended sender. But without freshness, this message could be replayed. If unique information is added to the message when signed, the receiver may accept only a message with this unique information. In doing so, the message cannot be replayed. A flash monotonic count value can function as this unique information for a message.

Login or Sign Up Now for an account to leave a comment.