I drew a little diagram of the security model I plan to use in Anelok: http://downloads.qi-hardware.com/people/werner/anelok/tmp/security.pdf
The "trusted core" is the MCU, in our case a Freescale Kinetis KL26. It has protection against altering the Flash (including a bulk erase) and against reading any memories or running the chip under a debugger. It communicates with the various entities in the system. The MCU and the RF SoC are also sealed against physical tampering in some way, e.g., with the transparent silicone plus paint seal we discussed before. The MCU contains the (trusted) code and the master keys. The master keys are weakly encrypted with the user's PIN and there's also a retry limit against brute-force attacks. The master keys unlock the encryption of objects in the password database on the memory card. The memory card also contains trusted code updates and maybe some large data (fonts, etc.), which is signed. The corresponding credentials (not shown) are also stored in the MCU. The various communication channels - Bluetooth LE or USB - are all usually be encrypted but there may also be some insecure modes. In the case of Bluetooth, the encrypted channel would terminate in the MCU and not, as is commonly done, in the insecure RF SoC. The code in the RF SoC is weakly trusted, so it would still be signed on the memory card, but a reasonably determined attacker could alter what runs on the RF SoC. - Werner _______________________________________________ Qi Hardware Discussion List Mail to list (members only): [email protected] Subscribe or Unsubscribe: http://lists.en.qi-hardware.com/mailman/listinfo/discussion
