Tip / Sign in to post questions, reply, level up, and achieve exciting badges. Know more

How OPTIGA™ Trust M prevents replay attacks?

KarishmaShaik
Moderator
Moderator 5 likes given First like given First like received
Moderator

How OPTIGA™ Trust M prevents replay attacks?

With an increase in the use of technology in almost all applications, there is an increase in security risks and challenges. One such risk is replay attacks, where the attacker eavesdrops a network and captures an encrypted message of known commands such as access request to a confidential site. The attacker then uses the captured data at a later point of time to impersonate the original user and access the confidential data. To prevent this type of attack, add a time stamp or use a session ID or use monotonic counters.

A monotonic counter is a one-way counter, which can either be used as an up counter or down counter for a particular application. Whenever this counter is called, it increments or decrements (based on whether it is used as an up or down counter) by any fixed value (not necessarily 1). These counters can be used to provide serial numbers, restrict the usage of a feature or data object, prevent replay attacks, and so on.

Monotonic counters in OPTIGATM Trust M:

OPTIGA™ Trust M provides four monotonic counting data objects (up counters) and each counter can be updated up to a maximum of 600,000 times. These counter data objects have a fixed length of 8 bytes, which consist of the concatenated counter value (offset 3-0) and the regarded threshold (offset 7-4), as shown in the following figure.

 

KarishmaShaik_10-1658919445309.png

The counter value (offset 3-0) increments (up counter) by a 1-byte value that is provided in the application. As soon as the counter reaches or exceeds the threshold (defined by offset 7-4), the counter gets set to the threshold value and returns an error upon attempting to count further. For example, OPTIGA Trust M has various key objects that can store public or private keys. If private key usage has to be restricted to 100 times, then link the private key object to a monotonic counter with a threshold value of 100. Whenever the private key is accessed, the counter value is incremented by 1. Once the value reaches 100, the private key cannot be further used. For additional information on key and data objects, please refer to KBA235372.

These monotonic counters can be used as a general-purpose counter or as a linked counter to other data objects. To link a monotonic counter to other data objects, the execute access condition (EXE in metadata) of the data object should be updated. This includes the linked usage counter (Luc) value along with the counter Object Identifier (OID). For example, if you need to restrict the usage of an arbitrary data object (0xE120) holding a pre-shared secret, the counter object (updated with maximum allowed limit) should be enabled, and then assign the counter data object in the execute access condition of that arbitrary data object as shown: EXE, Luc, Counter Object 0xD3, 0x03, 0x40, 0xE1, 0x20. For more information on metadata update, please refer to the solution reference manual.

Use cases:

  • Usage restriction: Monotonic counters can be used to restrict the usage of shared secret to a fixed number. Each time the shared secret is used, the counter is incremented. Upon reaching the limit, the shared secret can no longer be used for secure communication and a new shared secret needs to be generated. They are also used to enable additional usage restriction for the critical assets such as RSA private keys, AES keys  and so on, if they are not intended for extensive use.
  • Prevent replay attacks: To prevent an attacker from replaying data, link the monotonic counter to the data object and embed the current counter value in the current data. So, the counter increments and embeds its current value with the new data when the data is updated. If an attacker subsequently attempts to replay the old data, then the current monotonic counter value does not match with the counter value present in the data, thereby indicating that the data is invalid.

For further information on OPTIGA Trust M monotonic counters, please refer to the solution reference manual and GitHub.