With an increase in the use of technology in almost all applications, there is an increase in security risks and challenges. One such risk is replay attacks, where the attacker eavesdrops a network and captures an encrypted message of known commands such as access request to a confidential site. The attacker then uses the captured data at a later point of time to impersonate the original user and access the confidential data. To prevent this type of attack, add a time stamp or use a session ID or use monotonic counters.
A monotonic counter is a one-way counter, which can either be used as an up counter or down counter for a particular application. Whenever this counter is called, it increments or decrements (based on whether it is used as an up or down counter) by any fixed value (not necessarily 1). These counters can be used to provide serial numbers, restrict the usage of a feature or data object, prevent replay attacks, and so on.
Monotonic counters in OPTIGATM Trust M:
OPTIGA™ Trust M provides four monotonic counting data objects (up counters) and each counter can be updated up to a maximum of 600,000 times. These counter data objects have a fixed length of 8 bytes, which consist of the concatenated counter value (offset 3-0) and the regarded threshold (offset 7-4), as shown in the following figure.
The counter value (offset 3-0) increments (up counter) by a 1-byte value that is provided in the application. As soon as the counter reaches or exceeds the threshold (defined by offset 7-4), the counter gets set to the threshold value and returns an error upon attempting to count further. For example, OPTIGA™ Trust M has various key objects that can store public or private keys. If private key usage has to be restricted to 100 times, then link the private key object to a monotonic counter with a threshold value of 100. Whenever the private key is accessed, the counter value is incremented by 1. Once the value reaches 100, the private key cannot be further used. For additional information on key and data objects, please refer to KBA235372.
These monotonic counters can be used as a general-purpose counter or as a linked counter to other data objects. To link a monotonic counter to other data objects, the execute access condition (EXE in metadata) of the data object should be updated. This includes the linked usage counter (Luc) value along with the counter Object Identifier (OID). For example, if you need to restrict the usage of an arbitrary data object (0xE120) holding a pre-shared secret, the counter object (updated with maximum allowed limit) should be enabled, and then assign the counter data object in the execute access condition of that arbitrary data object as shown: EXE, Luc, Counter Object → 0xD3, 0x03, 0x40, 0xE1, 0x20. For more information on metadata update, please refer to the solution reference manual.
You must be a registered user to add a comment. If you've already registered, sign in. Otherwise, register and sign in.