Digital Authentication for Medical Devices

For medical devices with replaceable or disposable accessories, proving that the correct accessory, or attachment, is being used can be critical. Incorrect accessories may be accidentally used, such as accessories designed for another model of the same equipment, or for another manufacturer’s equipment, which could cause safety issues. Digital authentication can provide a high degree of certainty that a medical device accessory is both correct and genuine, with minimal impact on the design.

For medical devices with replaceable or disposable accessories, proving that the correct accessory, or attachment, is being used can be critical. Incorrect accessories may be accidentally used, such as accessories designed for another model of the same equipment, or for another manufacturer’s equipment, which could cause safety issues. Likewise, the reuse of disposable accessories may be unsanitary and could result in inferior performance. Most critically, counterfeit accessories may not be designed to the same standards and could have significantly inferior performance. The loss of revenue caused by counterfeit accessories may also impact the business model for some medical devices.

Digital authentication can provide a high degree of certainty that a medical device accessory is both correct and genuine, with minimal impact on the design. On discovering an accessory that does not authenticate successfully, the system can respond in a manner prescribed by the system’s designer. The response can vary from merely informing the operator that the accessory failed to authenticate to preventing the system from operating.

Digital authentication

Digital authentication schemes range from simple ID systems to the exchange of digital signatures. At a hardware level, digital authentication requires embedded intelligence in the system and in the authenticated accessory. Many modern systems already contain an embedded processor that can be used to control authentication and a processor in the accessory can be revised to implement authentication. Even if an authenticated accessory doesn’t contain any embedded intelligence, the addition of a small, low-cost, low-power microcontroller is relatively easy.

The other physical requirement is a bi-directional communications channel between the system and the accessory to allow the exchange of data. An existing communications channel between the system and the accessory may be used, or a channel within the equipment could be extended to enable communication with the accessory. Should a communications channel need to be added, UART, I²C™, SPI and single-wire protocols (such as the UNI/O® protocol) are all well-suited, due to the limited number of connectors, low protocol implementation requirements and wide range of devices with hardware support. For some medical applications, RFID may be suitable, since it does not require external electrical connections. This allows the accessories and systems to be sealed, which simplifies cleaning and sterilization.

Simple authentication can be performed using ID transmission, where the accessory identifies itself to the system when requested. Using this scheme, the accessory’s microcontroller can be replaced by a serial EEPROM with a stored ID that is read by the system. ID transmission can prevent issues such as the use of incorrect accessories or accidental reuse by storing data that indicates the accessory has already been used. The downside of this scheme is that the security level is very low, since counterfeiters need only replay the ID recorded from a valid accessory.

A more secure scheme is challenge response/authentication and its derivatives. In this scheme, the system asks the accessory a question to which only an authentic accessory has the answer. The authentic accessory answers correctly, while a counterfeit is discovered and handled appropriately by the system.

There are several stages in a typical implementation’s challenge/response authentication. See Figure 2.

1. The system generates a random number, or challenge.
2. The challenge is transmitted to the accessory.
3. The accessory modifies the challenge in a pre-arranged, non-obvious way to create the response.
4. The accessory transmits the response to the system.
5. Meanwhile, the system retains a copy of the challenge and modifies it to determine the ideal response.
6. The system compares the ideal response with the accessory’s response. If they match, the accessory is authentic.

For secure authentication, the system needs to allow a wide range of challenges to defend against counterfeiters generating a look-up table of authentic responses for all challenges. Computing the response on the fly, rather than storing the responses in the accessory, reduces the storage requirements and makes the cost of storing large tables uneconomical for counterfeiters.

Generating random numbers in the system for use as challenges is not simple in a deterministic digital system. Few external measurements are truly random, unpredictable and evenly distributed, and a limited number of potential challenges reduces the number of responses to be stored by counterfeits. A more robust method is to implement a pseudorandom number generation algorithm with each system having a unique seed number, possibly using a modified form of the system serial number. Validated pseudorandom number generation algorithms produce a non-repeating sequence of numbers that is evenly distributed across their potential range of output values. The sequence of output values is determined by the seed value used to initialize the algorithm, and each system should have a unique seed value so as to produce a unique number sequence. Likewise, the variables of the algorithm should be stored in non-volatile memory so their values are retained when power is removed from the system. This prevents the algorithm from being reinitialized and repeating the same number sequence.

The modification of the challenge can be performed by encrypting the challenge or passing it through a one-way math function, called a secure hash. Both methods fulfill the requirement of the modification by being non-obvious and not producing any identifiable trend in output for sequential inputs. The modification needs to be non-obvious as both the challenge and responses can be monitored by eavesdropping on the communications channel. Encryption and secure hash algorithms are ideal for this modification as attempting to determine their modification requires excessive numbers of calculations and large number of challenge-response pairs. Symmetrical, block-based encryption ciphers, such as AES, TDES and XTEA, are suitable ciphers for microcontroller-based authentication, as they require little RAM and program space, and are computationally efficient. These features enable the use of a low-cost microcontroller. Their efficiency means an encryption can be performed by executing a relatively low number of instructions, allowing the microcontroller to be placed in a low-power state on completion, reducing overall current. Block-based ciphers encrypt a number of bytes at a time and produce a matching size result. All three encryption ciphers are in the public domain, have withstood international analysis of their security and their encryption strength is believed to be well understood. Secure hash algorithms are similar to a checksum of the challenge, with a secret value intermixed, which provides a method of determining whether the calculations were performed by an authentic device. Hash algorithms, unlike encryption, are not a one-to-one mapping. Because of this, the original input cannot be recovered from the result, as it could be produced by more than one set of input data. Suitable secure hash algorithms are HMAC-SHA-1 and HMAC-SHA-256. However, they require far more RAM and program memory to implement, necessitating a more expensive microcontroller.

For both secure hash and encryption algorithms, the modification method for input data is determined by a key. This key needs to be kept secret, since it determines the security of the system, not the encryption ciphers selected. This method is known as Kerchoff’s principle, which states that knowing which algorithm is used does not negate the security, since the key determines how the input is modified. To ensure the key is kept secret, it should be maintained in system memory, such as on-processor flash or EEPROM, which cannot be simply read-out. Likewise, storing the key in the microcontroller’s on-chip memory and enabling security features to block it from being downloaded prevents key identification. Similarly, the handling and knowledge of keys during system design and in production environments should be carefully managed to prevent disclosure.

Some algorithms support varying-sized keys, where larger keys offer increased security at the cost of additional calculations and resources to perform encryption. All encryption schemes are vulnerable to a brute-force attack. Using a known pair of input and output data, the input is encrypted with a progressive sequence of keys until a matching output is produced. Even for smaller keys this can require considerable calculations, but with the steadily increasing computing power available, it is worthwhile to implement the largest key possible for the suitable range of microcontrollers, since the number of keys grows exponentially with the size of the key, thus increasing the time required for a brute-force attack. Keys should be randomly chosen so they can be anywhere within the possible range of keys, which makes it less probable for a brute-force attack to find the key early in its attempts. It is mathematically possible for a brute-force attack to find the key on its first attempt, but extremely unlikely given the huge number of possibilities.

The time required to generate tables of authentic responses can be sufficiently increased, in order to hinder this attack. This can be done by implementing time-outs, such as five seconds between authentication, and by placing limits on the maximum acceptable data rate for communications, which limits how frequently challenges can be received. Increasing the size in bits of challenges exponentially increases the table size, making storage prohibitively expensive for counterfeits. Additionally, methods exist for challenges larger than the cipher block size. Periodic re-authentication can prevent the system from being started with an authentic accessory and then another being swapped in post-authentication.

It is possible to reduce the time required to generate a table of good responses by challenging multiple accessories in parallel. However, the time required may still be significant and the table will still require large volumes of storage.

An enhancement on the challenge response scheme is to equip each authenticated accessory with an individual encryption key. This setup gives each accessory its own unique response to a challenge but requires the system to either store the encryption keys for all authenticated accessories or to be able to derive the required key. Both methods require the accessory to have a serial number, in order to identify the key required, but deriving the required key is more efficient from a storage viewpoint. The system performs this by encrypting the serial number of the accessory using an extra-secret master key, as shown in Figure 3. The result of this operation is used as the encryption key for authentication. Measures must be taken to safeguard the master key, because if the master key is compromised, the scheme is unable to detect duplicates. However, only the system needs to know the key, as the serial numbers of accessories are known during their manufacture and the secret master key has already been determined, which fixes the encryption key for each accessory. As a result, accessories need only be programmed with their serial number and their encryption key and do not require the master key.

The advantages of this scheme are that multiple devices cannot be challenged in parallel, since each will have different responses. Also, should an authenticated accessory be compromised, only clones of this accessory with identical serial numbers can be produced. Once detected, systems may be able to blacklist this serial number.

The addition of digital authentication allows the accessory’s serial numbers to be recorded automatically by the system, and allows the management of recalls and enforcement of expiration dates if they are incorporated into serial numbers. Digital authentication uses encryption as a modifier and decryption is not implemented. However, decryption can require similar resources and code segments, making the addition of secure communications between the system and accessory possible. The non-volatile memory inside the microcontroller can be used to store additional data, tightly binding calibration with the accessory and allowing usage data to be recorded.

Conclusion

Digital authentication of medical accessories can improve safety by preventing accidents, the lapses in unsanitary re-use of disposable accessories and the propagation of counterfeit accessories, while also protecting revenue streams. The hardware requirements are easily met using a small, low-cost and low-power microcontroller. There are a number of suitable existing communications channels. Encryption block ciphers require minimal RAM, and can be implemented efficiently in a small microcontroller.

Further information on authentication schemes and encryption algorithms can be found in the following application notes:

• AN743: Modular PICmicro® Mid-Range MCU Code Hopping Decoder, Lucio Di Jasio, Microchip Technology Inc., 2006
• AN821: Advanced Encryption Standard Using the PIC16XXX, Calo Gubel, Microchip Technology Inc., 2002
• AN1259: Microcontroller-based Code Hopping Encoder, Enrique Aleman, Microchip Technology Inc., 2008