Emerging Financial Payment Applications Powered by Freescale Security Solutions

FTF-CON-F0484

Starle Li | Marketing Manager, AP

MAY 2014
Agenda

• Explosive Growth of China POS Industry
• Call for Security in Financial Application
• Introduction of Kinetis Security MCU
• Introduction of the i.MX Trust Architecture
• Summary
China 3\textsuperscript{rd} Party Payment Market is Booming

- According to PBOC’s report of 2013:
  - Payment transaction via mobile phone
    - Transaction times: 1.67 Billion, \textbf{212.86\% increase}.
    - Transaction volume: RMB 9.64 Trillion, \textbf{317.56\% increase}.
  - Payment transaction via telephone
    - Transaction times: 0.45 Billion, \textbf{-6.59\% increase}.
    - Transaction volume: RMB 4.74 Trillion, \textbf{-8.92 \% increase}.
Direct Acquiring vs. 3rd Party Payment

Acquiring Surcharge Share 7:2:1

Inter-bank Settlement

1

UnionPay

Acquiring

Acquirer

2

Inter-bank Settlement

Paying

External Use | 3
Lakala mobile POS Reshapes Mobile Payment

• Low cost
• Leverage resource of mobile phone
  – BT interface with mobile phone, no 3G/LTE modem is needed.
  – Low power to provide longer battery life.
• Mini form factor for mobile application
Payment carriers approved by PBOC will penetrate into acquiring business by selling mPOS to micro merchants.

PBOC approved 250 payment carriers from March 2011 to July 2013, and 47 out of 250 have the license of acquiring.

CUP and banks began to promote mPOS to expand the online payment business to defeat 3rd party payment carriers.

http://www.hkrt.cn/pc.asp?id=39

http://cn.unionpay.com/online_pay/minipay/file_94977279.html
## mPOS vs. Traditional POS

<table>
<thead>
<tr>
<th></th>
<th>Traditional POS</th>
<th>mPOS</th>
</tr>
</thead>
<tbody>
<tr>
<td><strong>Target Users</strong></td>
<td>Medium and big merchants</td>
<td>Micro and smaller merchant</td>
</tr>
<tr>
<td><strong>Operators</strong></td>
<td>Banks, CUP</td>
<td>Banks, 3rd party payment providers</td>
</tr>
<tr>
<td><strong>Business Model</strong></td>
<td>Surcharge of transaction paid by merchants</td>
<td>Surcharge of transaction paid by merchants, but much lower than traditional POS</td>
</tr>
<tr>
<td><strong>Platform Requirement</strong></td>
<td>High, Application processor with security module</td>
<td>Low, MCU and security module</td>
</tr>
<tr>
<td><strong>Interface to mobile devices</strong></td>
<td>N/A</td>
<td>USB, Bluetooth</td>
</tr>
<tr>
<td><strong>Cost</strong></td>
<td>High</td>
<td>Low</td>
</tr>
<tr>
<td><strong>Safety Level</strong></td>
<td>High</td>
<td>High</td>
</tr>
<tr>
<td><strong>Freescale Product</strong></td>
<td>i.MX258</td>
<td>K21D, K21F</td>
</tr>
</tbody>
</table>
Security in POS
How Much Security?

When protecting a system you must consider:

• What are you trying to protect?
• What types of attack do you need to protect against?
• What are the likely attack points, and methods?
• How much security do you require?
  - How much are you willing to pay?
• How will security impact the underlying system?
• How will you upgrade/maintain the system and security over time?
Categories of Attack in Embedded Systems

• Electrical
  - Over/Under voltage
  - Power analysis
  - Frequency analysis
  - Electrostatic discharge
  - Circuit probing

• Software
  - Spy software insertion
  - Flow analysis
  - Trojan horse
  - Virus

• Physical
  - Temperature variation (into extremes)
  - Temperature analysis
  - De-processing
  - System theft
  - Partial destruction
  - Hardware addition/substitution

• Classification
  - per investment (equipment),
  - Time
  - Expertise needed

• Classification per type
  - Invasive or semi invasive
  - Non invasive >side channel attack
  - Software
How are Systems Protected Today?

**Physical security:**
- Secure packaging
- Secure packaging with tamper detect (i.e. micro-switch, pressure monitoring)
- Secure packaging with tamper detect and destruction (i.e. dynamite)
- Obscured part numbers
- Hidden layers
- Protected location

**Electronic Security:**
- **Security bit, to protect on-chip non-volatile memory (e.g. Flash on MCUs)**
  - Prevent external access to on-chip resources:
    - Locks device into Single Chip mode (disables external parallel bus)
    - Disables Background Debug Mode
    - Disables Test Mode
    - Disables JTAG
    - Disables any (serial) “Bootstrap” functions
  - Memory array bulk erase turns security bit off (user selectable option)
- **Secure System (e.g. Trust Zone)**
  - Code signing to prevent software tampering
  - Assurance for stored IP
  - Data stored encrypted in internal or external memory
  - Data decrypted and stored in on-chip private memory at runtime
    - How do you protect software IP in external memory systems?
- **Proprietary (CPU) Design**
- **Silicon Obfuscation (e.g. obscuring metal layer)**
- **On-Chip Encryption Acceleration**
  - How do you protect the keys?
Example 1: power analysis: SPA, DPA...

Figure 2: Current through CMOS inverter (source: Peeters et al., 2006)

Figure 3: SPA trace from typical smartcard showing 16 rounds of DES operation (source: Kocher et al, 1999)
Example 2 : spike/glitch attack

- Glitch attacks are fast changes in the signals supplied to the device and designed to affect its normal operation. Usually glitches are inserted in power supply and clock signals.
Microcontroller System Security Requirement

- Hardware random number generator
- Memory protection unit
- Protected Flash memory
- LAN, PAN, WAN
- Encrypted communications
- Optional external memory system
- Integrated FLASH
- Peripherals
- SRAM
- CPU
- FLASH
- DRAM
- Unique chip identifier
- Secure key storage, Unique chip ID
- Tamper detection, Secure RTC
- Hardware cryptographic acceleration
- Unique chip ID
- Protected Flash memory
- Encrypted communications
- Optional external memory system
Freescale Security MPU/MCU Overview

High
- i.MX53
  - Cortex A8, 800-1GHz
  - 2D/3D GPU
  - External Security
- i.MX 6S
  - Cortex A9, 1.0 GHz
  - 2D/3D GPU
- K21
  - Cortex M4 100 MHz
  - DryIce Security Block

Mid
- Vybrid
  - Cortex A5+M4, 500/100MHz
  - DryIce Security Block
- i.MX258
  - ARM926, 400MHz
  - DryIce Security Block
  - HAB, RTIC

Low
- K21
  - Cortex M4 100 MHz
  - DryIce Security Block, with USB OTG
- K61
  - Cortex M4 120~150M MHz
  - DryIce Security Block, with Ethernet, DRAM, USB OTG

Years:
- 2012
- 2013
Kinetis K-Series Portfolio

ARM Cortex-M4 solutions for a wide range of embedded applications

1st Gen Kinetis K-Series Families

- K70 – Graphics
- K60/K61 – Ethernet w/optional Tamper
- K5x – Measurement (Medical)
- K40 – SLCD + USB
- K30 – SLCD
- K2x – USB
- K1x – Baseline

2nd Gen Kinetis K-Series Families

- K64, K66 – Ethernet MCUs
- K63, K65 – Ethernet w/ Tamper MCUs
- K24 – USBs MCU w/ extended RAM
- K22 – USB MCUs
- K21 – USB w/ Tamper MCUs
- K12 – Baseline MCUs
- K11 – Baseline w/Tamper MCUs
- K02 – L-Series Bridge Cortex-M4

Performance

180 MHz
150 MHz
120 MHz
100 MHz
72 MHz
50 MHz

Memory Density

32KB
64KB
128KB
256KB
512KB

Increase memory integration and
Increase memory integration and

Execution
Production

Full new set of cost-effective Devices with leading power/performance

External Use | 17
Kinetis: Security

- **Flash Security**
  *(All Kinetis families)*

- **Memory Protection Unit**
  *(All Kinetis families)*

- **Tamper Detection & battery back-up**
  *(K60, K70 families)*

- **Cryptographic Acceleration Unit**
  *(K1x, K2x, K50, K60, K70 families)*

- **H/w Cyclic Redundancy Check**
  *(All Kinetis families)*

- **4-level protection limits access to flash resources safeguarding user’s IP**

- **Data protection and increased software reliability**

- **Voltage, frequency, temperature & external sensing for physical attack detection**

- **Faster than s/ware implementations with only minimal CPU intervention**
  • Wide variety of algorithms supported

- **Validation of memory contents and communication data for enhanced system integrity**
Kinetis Security Summary

• The entire (current) Kinetis family includes enhanced Flash security, with user selectable:
  - Security bit, disables external and debug access
  - Backdoor access enable
  - Factory access enable
  - Block erase & re-program disable
  - Hardware protection against "Noise injection" attacks
  - Memory Protection Unit
  - 128-bit unique part identifier

• K60 and K70 120/150 MHz parts in 256 MAPBGA packages, and K11 and K21 50 MHz parts add:
  - Battery backed up Tamper detection, monitoring-
    ▪ Supply voltage
    ▪ Clock frequency
    ▪ Temperature
    ▪ External sensors
    ▪ External physical tampering (e.g. drilling into PCB)
  - 256-bit secure user storage (key), erased on tamper
  - Secure real time clock
Kinetis: Security
K10/K20/K30/K40/K50/K60/K70

Flash Security Options:
• User backdoor access disable
• Factory access disable
• Mass erase disable
• Multiple transfers from Flash to config register

Memory Protection Unit (MPU):
• 16 areas, supervisor/user (config registers are fully accessible)

Cryptographic Acceleration Unit (CAU):
(K10/20/50/60/70 only)
• Symmetrical crypto
• Hashing functions
• Random Number Generator (RNG)

Enablement:
• Crypto stacks

Secure storage:
• 128 bit unique chip identifier

Hardware Cyclic Redundancy Check (CRC)

Prevent External accesses for reading or programming
Prevents block and security bit erase, and re-programming. Protects against system impersonation
Protects secure system against electrical noise attacks
Allows “sandboxing”, running software with restricted access permissions
Reduces CPU loading for cryptographic functions
Facilitates generation of FIPS140 certifiable random numbers
Facilitates detection of data tampering
Facilitates certificate and authentication to a specific MCU
Accelerates basic data integrity checking
Kinetis: Security
K10/K20/K60/K70, 50/120/150MHz

Flash Security Options:
• User backdoor access disable
• Factory access disable
• Mass erase disable
• Multiple transfers from Flash to config register

Memory Protection Unit (MPU):
• 16 areas, supervisor/user (config registers are fully accessible)

Tamper Detection (with battery backup):
• Integrated sensors –
  • Frequency
  • Voltage
  • Temperature
• 4x passive external tamper sources (inputs)
• 2x active external tamper sources (2x output and input)

Cryptographic Acceleration Unit (CAU):
• Symmetrical crypto
• Hashing functions
• Random Number Generator (RNG)

Enablement:
• High Assurance Boot (HAB) with tools
• Crypto stacks

Secure storage:
• 256 bit user area, erased by tamper
• 128 bit unique chip identifier

Secure Real Time Clock (RTC):
• Monotonic
• Overflow and reprogram protection

Hardware Cyclic Redundancy Check (CRC):
Protects against a wide range physical attacks on MCUs, even during low power modes.

Protected storage of user key or authentication code, may be used as master key to encrypt additional key depository.

Highly secure firmware verification, with secure firmware upgrade capability.

May be used to prevent firmware downgrading.
Kinetis MCUs with Security and integrity solutions

High-end POS Powered by i.MX
ViewAt Multimedia POS with i.MX6Q+K21D

- Android 4.3 OS
- i.MX6Q
  - 4 ARM Cortex-A9 cores deliver outstanding performance
- K21D
  - Security MCU provides uncompromising protection for financial application
i.MX258 based PCIPED Certified Product

• **MB400**
  - Product Info
  - Certification:
  https://www.pcisecuritystandards.org/approved_companies_providers/approved_pin_transaction_security.php

• **W280**

• **G810**
i.MX Trust Architecture Features

**Trusted Execution**
- Isolates execution of critical SW from possible malware
- TrustZone Secure & Normal Worlds (processor modes)
- Hardware firewalls between CPU & DMA masters and memory & peripherals

**High Assurance Boot**
- Authenticated boot: prevents unauthorized SW execution
- Encrypted boot: protects SW confidentiality
- Digital signature checks embedded in on-chip boot ROM
- Run every time processor is reset

**HW Cryptographic Accelerators**
- i.MX family dependent
- Symmetric: AES-128, AES-256, 3DES, ARC4
- Message Digest & HMAC: SHA-1, SHA-256, MD-5
i.MX Trust Architecture Features (continued)

Secure Storage
- Protects data confidentiality and integrity
- Off-chip: cryptographic protection including device binding
- On-chip: self-clearing Secure RAM
- HW-only keys: no SW access

HW Random Number Generation
- Ensures strong keys and protects against protocol replay
- On-chip entropy generation
- Cryptographically secure deterministic RNG

Secure Clock
- Provides reliable time source
- On-chip, separately-powered real-time clock
- Protection from SW tampering
i.MX Trust Architecture Features (continued)

Security Debug:
- Protects against HW debug (JTAG) exploitation for:
  - Security circumvention
  - Reverse engineering
- Three security levels + complete JTAG disable

Tamper Detection
- Protects against run-time tampering
- Monitoring of various alarm sources
  - Debug activation
  - External alarm (e.g. cover seal)
  - SW integrity checks
  - SW alarm flags
- HW and SW tamper response
- Support varies by i.MX family
i.MX Trust Architecture – Overview

- Tamper Detect
- Secure RAM
- Secure Clock
- Peripheral Slave
- ARM CPU
- Accelerator (Cipher, Hash, RNG)
- DMA Master
- ROM (High Assurance Boot)
- Electrical Fuses (keys, security levels)
- Secure Debug
- Secure Clock
- JTAG
- External Memory
- GPIO alarm
- SW alarm
- Erase
- Debug alarm

Electrical Fuses
- keys, security levels
### i.MX Trust Architecture Deployment

<table>
<thead>
<tr>
<th>Feature</th>
<th>i.MX 25</th>
<th>i.MX 27</th>
<th>i.MX 28</th>
<th>i.MX 35</th>
<th>i.MX 50</th>
<th>i.MX 51</th>
<th>i.MX 53</th>
<th>i.MX 6</th>
</tr>
</thead>
<tbody>
<tr>
<td>Trusted Execution</td>
<td></td>
<td></td>
<td></td>
<td></td>
<td>✓</td>
<td>✓</td>
<td>✓</td>
<td>✓</td>
</tr>
<tr>
<td>High Assurance Boot</td>
<td>✓</td>
<td>✓</td>
<td>✓</td>
<td>✓</td>
<td>✓</td>
<td>✓</td>
<td>✓</td>
<td>✓</td>
</tr>
<tr>
<td>Secure Storage</td>
<td>✓</td>
<td></td>
<td>✓</td>
<td>✓</td>
<td>✓</td>
<td>✓</td>
<td>✓</td>
<td>✓</td>
</tr>
<tr>
<td>Hardware RNG</td>
<td>✓</td>
<td>✓</td>
<td></td>
<td>✓</td>
<td>✓</td>
<td>✓</td>
<td>✓</td>
<td>✓</td>
</tr>
<tr>
<td>Secure Clock</td>
<td>✓</td>
<td></td>
<td></td>
<td></td>
<td>✓</td>
<td>✓</td>
<td>✓</td>
<td>✓</td>
</tr>
<tr>
<td>Secure Debug</td>
<td>✓</td>
<td>✓</td>
<td></td>
<td></td>
<td>✓</td>
<td>✓</td>
<td>✓</td>
<td>✓</td>
</tr>
<tr>
<td>Tamper Detection</td>
<td>✓</td>
<td>✓*</td>
<td>✓*</td>
<td>✓*</td>
<td>✓*</td>
<td>✓*</td>
<td>✓*</td>
<td>✓*</td>
</tr>
</tbody>
</table>

* External Digital Tamper only monitored when main power is supplied.
<table>
<thead>
<tr>
<th>Feature</th>
<th>i.MX6 Family</th>
</tr>
</thead>
<tbody>
<tr>
<td>Assurance Boot</td>
<td>Authenticated Boot + Encrypted boot (HABv4.1)</td>
</tr>
<tr>
<td>Secure Storage</td>
<td>On-chip zeroizable 4x4kB Secure RAM</td>
</tr>
<tr>
<td></td>
<td>Off-chip storage protected using unique HW master key (AES-256) (CAAM/SNVS)</td>
</tr>
<tr>
<td>Cryptographic Accelerators</td>
<td>Symmetric: AES-128/256, DES, 3DES, ARC4</td>
</tr>
<tr>
<td></td>
<td>Hash &amp; HMAC: MD5, SHA-1, SHA-224, SHA-256</td>
</tr>
<tr>
<td></td>
<td>HW Random Number Generator – follows NIST/BSI recommendations &gt; 2015 (CAAM)</td>
</tr>
<tr>
<td>Run-time Monitoring</td>
<td>None</td>
</tr>
<tr>
<td>Secure Real Time Clock</td>
<td>SNVS</td>
</tr>
<tr>
<td>Hardware Firewalls</td>
<td>External memory (TZASC)</td>
</tr>
<tr>
<td></td>
<td>On-chip peripherals (CSU)</td>
</tr>
<tr>
<td></td>
<td>On-Chip Memory (CAAM, OCRAM)</td>
</tr>
<tr>
<td>Resource Domain Separation</td>
<td>None</td>
</tr>
<tr>
<td>Secure JTAG</td>
<td>Full or Controlled Disable (3 modes)</td>
</tr>
<tr>
<td>Physical Tamper Detection</td>
<td>Tamper Input GPIO</td>
</tr>
<tr>
<td></td>
<td>Tamper Response (SNVS)</td>
</tr>
<tr>
<td>Device Configuration</td>
<td>Open, Closed, Field Return</td>
</tr>
<tr>
<td>TrustZone Support</td>
<td>Peripheral DMA access control (CSU)</td>
</tr>
<tr>
<td></td>
<td>Memory DMA access control (ARM TZASC)</td>
</tr>
<tr>
<td></td>
<td>Interrupt separation (ARM GIC)</td>
</tr>
<tr>
<td></td>
<td>Secure storage separation (CAAM/SNVS)</td>
</tr>
<tr>
<td></td>
<td>Cryptographic separation (CAAM)</td>
</tr>
<tr>
<td></td>
<td>OCRAM protected region (OCRAM, CSU)</td>
</tr>
</tbody>
</table>
Compliance
Federal Information Protection Standard - FIPS

- The US Government publishes a ‘Federal Information Protection Standard’, known as FIPS, which describes how governmental agencies should protect sensitive data.

- FIPS 140-2 is the standard pertaining to cryptography modules used by the federal government.

- The FIPS standard is published by the National Institute of Standards and Technology (NIST). www.nist.gov

- Certification of one system using a specific processor provides no pass through benefit to our customers
  - The tests are system level tests, so every new system must go through the process
  - For this reason, there are no plans for Freescale to pursue FIPS testing/certification of Kinetis.
Payment Card Industry – PCI Compliance

• PTS (PIN transaction security) is the PCI standard governing security for POS and PIN entry devices
• Like FIPS, PCI-PTS is a system level compliance test.
• Freescale has no plans to create a reference system and pass it through PCI-PTS certification; however, we hired an outside company to perform a security review of the Kinetis K70 specification.
• We have a customer version of the report that can be shared as needed.
Europay, Mastercard, Visa – EMV compliance

- Standard for IC cards or “chip cards” – credit cards with a chip in them for authentication of transactions
- This is a system level compliance test, but in this case there is a defined standard for the interface to the outside world—ISO7816-3.
EMV Compliance (cont.)

- We support ISO7816-3 using the UART
- There are three classes determined by voltage:
  - Class A (4.5V-5.5V)
  - Class B (2.7V-3.3V)
  - Class C (1.62V-1.98V)
- Kinetis can only support class B and C without external voltage translation hardware
Useful References

- The DryIce and RTC chapters of the applicable device’s reference manual
- The DryIce and RTC sections of the applicable device’s data sheet (under NDA)
- Anxxxx: Using the DryIce Tamper Detection Unit on Kinetis Microcontrollers (under NDA)
- AN3795: Using the CRC Module on the Flexis AC Family
- AN4507: Using the Kinetis Security and Flash Protection Features
- AN4307: Using the CAU and mmCAU in ColdFire, ColdFire+ and Kinetis
- CAU/MMCAU Performance Analysis – Internal Document
- RSA Performance using Kinetis MCU – Internal Document
Designing with Freescale

Tailored live, hands-on training in a city near you

2014 seminar topics include

• QorIQ product family update
• Kinetis K, L, E, V series MCU product training

freescale.com/DwF