Atmel ATAES132
32Kb AES Serial EEPROM Specification
I
2
C Datasheet Summary
Features
•
•
32Kb standard Serial EEPROM user memory
•
Compatible with the Atmel
®
AT24C32D
•
16 user zones of 2Kb each
High-security features
•
•
•
•
•
•
•
AES algorithm with 128-bit keys
AES-CCM for authentication
Message authentication code for cryptographic operations
Secure storage for sixteen 128-bit keys
Encrypted user memory read and write
FIPS random number generator
16 nonreversible monotonic counters
•
•
•
•
•
•
Flexible, user-configured security
•
User zone access rights independently configured
•
Authentication prior to zone access
Read/write, encrypted, or read-only user zone options
1MHz I
2
C serial interface
2.5V to 5.5V supply, <250nA sleep
Packages: SOIC, TSSOP, or UDFN
•
Serial EEPROM compatible pin-out
-40° to +85°C operating temperature
Benefits
Add security without retooling printed circuit board by just replacing an existing
Serial EEPROM.
•
•
•
•
•
•
•
•
•
Authenticate consumables
Authenticate components
Authenticate network access
Protect sensitive firmware
Secure confidential data
Prevent enablement of unpaid for features
Manage contract manufacturers from overbuilds
Manage warranty claims
Securely store complete identify including fingerprints and pictures
8762A−CRYPTO−5/11
Description
The Atmel ATAES132 is a high-security, serial, electrically erasable and
programmable read-only memory (EEPROM) providing both authentication and
confidential, nonvolatile data storage capabilities. Access restrictions for the
sixteen user zones are independently configured, and any key can be used with
any zone. Keys can also be used for standalone authentication. This flexibility
permits the ATAES132 to be used in a wide range of applications.
The AES-128 cryptographic engine operates in AES-CCM mode to provide
authentication, stored data encryption/decryption, and message authentication
codes. Both internally stored data and/or small quantities of external data can be
protected by the ATAES132 device.
The ATAES132 pin-out is compatible with standard Serial EEPROMs to allow
placement on existing PC boards. The Serial EEPROM portion of the
ATAES132 instruction set is identical to Atmel Serial EEPROM instruction set.
The ATAES132’s extended security functions are accessed by sending
command packets to the ATAES132 using standard write instructions and
reading responses using standard read instructions. The ATAES132 Secure
Serial EEPROM architecture allows it to be inserted into existing applications.
The ATAES132 device incorporates multiple physical security mechanisms to
prevent release of the internally stored secrets. Secure personalization features
are provided to facilitate third-party product manufacturing.
Table 1.
Pad
V
CC
GND
SCL
SDA
NC
AuthO
NC
Figure 2.
Package pin list
Description
Supply voltage
Ground
Serial clock input
Serial data input/output
No connect pin. Recommend float or tie to V
CC
Auth signalling
No connect pin. Recommend float or tie to V
CC
SOIC
8
4
6
5
1
2
3
TSSOP
8
4
6
5
1
2
3
UDFN
8
4
6
5
1
2
3
Pin configurations
UDFN
V
CC
NC
SCL
SDA
8
7
6
5
SOIC or TSSOP
NC
AuthO
NC
GND
1
2
3
4
8
7
6
5
V
CC
NC
SCL
SDA
NC
2
AuthO
3
NC
4
GND
1
Top view
Bottom view
Atmel ATAES132 [I2C Datasheet Summary]
8762A−CRYPTO−5/11
2
1.
1.1.
Security
Advanced Encryption Standard (AES)
The ATAES132 cryptographic functions are implemented with a hardware cryptographic engine using the Advanced
Encryption Standard (AES) in CCM mode with a 128-bit key. AES-CCM mode provides both confidentiality and integrity
checking with a single key. The integrity MAC includes both the encrypted data and additional authenticate-only data bytes, as
described in each command definition. Each MAC is unique due to inclusion of a nonce and an incrementing MacCount
register in the MAC calculation.
1.2.
Hardware Security Features
The ATAES132 device contains physical security features to prevent an attacker from determining the internal secrets. The
ATAES132 includes tamper detectors for voltage, temperature, frequency, and light, as well as an active metal shield over the
circuitry, internal memory encryption, and various other features. The ATAES132 physical design and cryptographic protocol
are designed to prevent or significantly complicate most algorithmic, timing, and side-channel attacks.
2.
Chip Internal Regions
Seven distinct regions make up the internal organization of the ATAES132: user memory, information region, configuration
memory, counters, key memory, SmallZone, and I/O support regions.
Figure 2-1.
Chip internal regions
User memory (32Kb)
Information region (36 bytes)
Configuration memory (165 bytes)
Counters (2Kb)
Key memory (2Kb)
Small zone (32 bytes)
Free space (96 bytes)
I/O support SRAM
2.2.
User Memory
The user memory is comprised of 32Kb of nonvolatile memory, segmented into 16 zones. Access to the zones is
independently configurable to offer access restrictons, from open access, as in any standard Serial EEPROM, to full
restrictions that preclude read/write operations and will only permit internal, authenticated use for such data as security keys.
2.3.
Information Region
The information region holds read-only identification information, such as unique die serial numbers and other information
pertaining to the ATAES132.
Atmel ATAES132 [I2C Datasheet Summary]
8762A−CRYPTO−5/11
3
2.4.
Configuration Memory
The configuration memory offers the ability to customize access rights to different resources of the chip as a means to tailor
the various security features of the chip to one’s specific application. This customization, formally known as personalization,
grants the application owner the ability to define custom access rights to chip resources, from counters and key usage to
memory. After personalization, the application owner issues lock commands to render the configuration permanent and to
forever seal security keys and information in user zones configured to be confidential.
The configuration memory supports multistep workflows to support the use of third-party services like programming without
compromising the content or application security. In addition, Atmel offers optional, value-add programming services through
the use of hardware security modules, which allow application owners to virtually inject their secrets into the ATAES132.
Table 2-1.
Name
Algorithm
ChipConfig
Counters
CounterConfig
DeviceNum
EEPageSize
EncReadSize
EncWriteSize
FreeSpace
Jedec
KeyConfig
LockConfig
LockKeys
LockSmall
LotHistory
ManufacturingID
PermConfig
SerialNum
SmallZone
TempCal
TempOffset
I
2
C Addr
ZoneConfig
Note:
1.
Summary of configuration table parameters, sorted by name
Description
Algorithm ID Code (0x0000)
Device level cryptographic and power up configuration options
16 monotonic counters, each capable of counting to 2M
Configuration information for each counter
Atmel device number code
Length in bytes of physical EEPROM page (32, 0x20)
Maximum data length in bytes for EncRead (32, 0x20)
Maximum data length in bytes for EncWrite (32, 0x20)
Free memory for customer data storage
Atmel JEDEC manufacturer code 0x001F
Configuration information for each key
Controls configuration memory write access, except
SmallZone. Default is the ‘unlocked’ state
(1)
Controls key memory write access. Default is the ‘unlocked’
state
(1)
Controls SmallZone register write access. Default is the
‘unlocked’ state
(1)
Atmel proprietary manufacturing information
Two byte manufacturing ID code
Atmel factory device configuration options
Guaranteed unique die serial number. SerialNum is optionally
included in cryptographic calculations
32 byte value. The first four bytes are optionally included in
cryptographic calculations
Indicates the source of the TempOffset value
Temperature offset for calculating the die temperature using the
values returned by the temp sensor
Selects the serial interface mode and stores the I
2
C device
address
Access and usage permissions for each user zone
Write
Never
If LockConfig = unlocked
If LockConfig = unlocked
If LockConfig = unlocked
Read
Always
Always
Always
Always
Always
Always
Always
Always
Always
Always
Always
Always
Always
Always
Always
Always
Always
Always
Always
Always
Always
Always
Always
Bytes
2
1
128
32
1
1
1
1
96
2
64
1
1
1
8
2
1
8
32
1
8
1
64
Never
Never
Never
Never
If LockConfig = unlocked
Never
If LockConfig = unlocked
Via Lock command only
Via Lock command only
Via Lock command only
Never
Never
Never
Never
If LockSmall = unlocked
If LockConfig = unlocked
If LockConfig = unlocked
If LockConfig = unlocked
If LockConfig = unlocked
Changes to most of the configuration registers take effect immediately, which allows the functionality to be tested
during the personalization process. Changes to the I
2
C Addr register take effect at the next reset, power up, or
wake up from the sleep state.
Atmel ATAES132 [I2C Datasheet Summary]
8762A−CRYPTO−5/11
4
2.5.
Counters
The counters region contains 16 nonreversible monotonic counters. The counter operation is customizable during
personalization in the configuration memory to permit such features as free use, authenticated-only increments, and control of
key usage.
2.6.
Key Memory
Key memory holds sixteen 128-bit keys targeting various AES and AES-CCM operations. Key usage is customizable during
personalization in the configuration memory to permit custom features like authentication-only, limited-use, counter increment,
user zone access, key permissions, and many other uses. The key memory is writeble only during personalization, and is
never readable under any circumstances. One may only use an authentication procedure to validate the content of a key.
However, the ATAES132 offers a set of commands which, when so configured during personalization, permits secure key
creation, imports, exports, and transfer of content from a confidential user memory to key space.
2.7.
SmallZone
SmallZone is a 32-byte, general-purpose memory separate from the 32Kb user memory and with special features to aid
multistep workflows. Configuration at personalization may make portions of this zone a mandatory input into cryptographic
calculations.
2.8.
I/O Support
The I/O Support regions contains a FIFO and other registers, which together provide a means to send the ATAES132
commands and receive responses, including status information.
Atmel ATAES132 [I2C Datasheet Summary]
8762A−CRYPTO−5/11
5
京公网安备 11010802033920号
EEWORLD
