The important issue is always that the key itself and the key generation process never leave the secure hardware. The key shouldn't be stored in a separate EEPROM. A major part of a chipcard manufacturer's IP is to provide the counterintelligence against attacks from the outside. Depending on the application, the designer can choose a specific hardware solution, which is directly integrated into the computer hardware.
For encrypting huge amounts of data, Infineon created the Bayon (SLD9670) IC, a chip with high computing power compared to a chipcard. The chip can encrypt all data to be written to a hard disk, or decrypt that data entirely during a read operation. The Bayon offers a 32-bit, 33-MHz PCI bus interface and provides symmetric real-time encryption of a DES/Triple-DES algorithm at 423/141 Mbit/s. The device is capable of storing 128 key lines (keys + signature + attributes) and contains a UART as well as two chipcard interfaces.
Computer users also can benefit from a system that integrates the Bayon IC with a chipcard, resulting in a DES module. Such a device performs very rapid symmetrical encryption of data delivered via the PCI interface. The chipcard communicates securely with the Bayon IC and informs it about the current symmetrical key.
Using this method, for example, a notebook computer with encrypted hard-disk data communicates in the same way with the user as does a notebook computer without data encryption, as long as the chipcard is plugged into the computer's slot. Removing the chipcard not only makes the notebook computer's hardware useless, but it also makes the data stored on the hard disk unreadable.
Encouraging companies to use its security ICs and to help them out, Infineon founded a global partnership, dubbed Silicon Trust. It focuses on applications from varying industries that either have exceptional security requirements, or else will become security-dependent. These include computing, secure e-commerce and m-commerce, telecommunications, and industrial and automotive applications.
The Bayon IC, though, is limited in PC security applications, and communication with chipcards is only possible at maximum data rates of about 150 kbits/s, via a serial interface. This makes its use with PCs less than ideal for encrypting large amounts of data.
Infineon has addressed this problem with a very promising solution for bringing security to the mass market, the USB Token. Although it's very similar to a controller within a chipcard, the Token doesn't have the slow 150-kbit/s "standard" serial interface. Instead, it has a fast 12-Mbit/s interface for USB ports. Because USB interfaces are available on all new computers, no additional chipcard readers are required when employing USB Tokens.
Therefore, generating a key or setting up an SSL session on unsafe PC platforms by using software encryption is no longer necessary. Safer hardware encryption is now possible. "A chipcard is a representation of a human being in a technical system," explains Ulrich Haman of Infineon, "and so is the USB Token, but with a faster interface."
On the other hand, a high-speed serial interface isn't always needed for secure authentication. For instance, RSA Security, a company that has already sold over 500 million encryption software packages, also created an active token. The device, based on a chip from a European chipcard manufacturer, contains a battery and generates a new password every 60 seconds. This password is then displayed on a 6- or 8-digit LCD and typed into the computer manually. The Swiss bank Credit Suisse already has 150,000 of these active tokens in use for authentication over the Internet.
Not only are smartcards becoming more common in PC security applications, they're also gaining more capabilities. With its latest smartcard IC solution, Atmel Corp. offers the largest reprogrammable nonvolatile memory on a smartcard chip—256 kbytes. This compares with conventional solutions of 64 kbytes. The T89SC256C is an 8/16-bit secure microcontroller based on an 80C251 enhanced architecture, and it is software compatible with any existing 80C51-based application. Plus, the 0.35µm CMOS IC has an embedded arithmetic cryptoprocessor and other security features.
Its small 25-mm2 size and low 10-mA power consumption at 5 V and 5 mA at 3 V make it ideal for embedded smartcard applications. Its UART and SPI communication interfaces enable the cryptocontroller to also support larger secure systems, such as smartcard readers and set-top boxes.
The T89SC256C includes several dedicated security features, like a true random-number generator, a secure memory management unit, an automatic memory error detection and correction mechanism, and physical sensors. Plus, a watchdog timer is included to control the correct execution of the embedded application software.
For high-speed cryptographic computation capacity, a separate arithmetic crypto coprocessor is provided on-chip. It supports up to 2048-bit RSA computations. A 1024-bit RSA computation with the Chinese Remainder Theorem (CRT) is achieved in 90 ms. Samples of the chip are available now. As with all chip-card designs from other semiconductor companies, Atmel's latest offering was created in Europe.