Kategorie: Protection

CmDongles with flash memory for unique new possibilities

The CmStick/M, a CodeMeter dongle with a USB interface and integrated flash memory, was first introduced in 2004. Since its inception, the cryptographic capabilities of all CodeMeter dongles have expanded considerably, including all CmDongles with flash storage. Mobile applications that store data and program files on the CmDongle are now a simple option, such as refitting existing embedded and control systems with a slot for storage devices.

Cryptographic features in all CodeMeter dongles

In contrast to most other dongles, CodeMeter comes with substantial storage space on a smart card chip to allow the storage of multiple licenses (even for separate rights holders) with flexible options. At the same time, CodeMeter is a cryptographic genius in your pocket: CodeMeter masters symmetric encryption, asymmetric encryption, hashes, and signatures and can store X.509 certificates. There are also other stateful functions, enabling many applications from copy protection and flexible licensing to secure booting and code integrity protection of software, controls and devices for the Internet of Things.

CmStick/M, CmCard/µSD, /SD, /CF, and CmCard/CFast

CodeMeter dongles with flash memory are available for most common interfaces: µSD cards, SD cards, CF cards, CFast cards, USB sticks. What they all have in common are the trusted CodeMeter functions and a partition accessible as a regular storage device. All CmCards use SLC flash memory;
the CmStick/MC (Commercial grade) employs premium Samsung eMMC 2-Bit-MLC memory, offering large storage capacity at an unbeatable price point. There are special models of SLC products for greater temperature range, conformal coating for use in damp environments and many other options. All of this makes the dongles ready for use under tough industrial conditions, such as GSM relays or trains.

Storage Partitions: CmPublic, CmPrivate, CmCdRom, and CmSecure

The CmCards offer a CmPublic partition and a CmSecureDisk partition accessible via CodeMeter API. The USB-CmStick/M also offers another protected CmPrivate partition and a read-only CmCdRom partition that the host would recognize and treat as a CD-ROM. In detail, these partitions allow the following uses:

  • CmPublic: This partition comes as standard on all CmCards and the CmStick/M. As default, this is the standard full-size partition with read/write access for the host (PC). CmCards and the CmStick/M also use it to store the Codemtr.io file, which communicates with the smart card chip. The new CmStick/MI and /MC models also allow this disc to be configured and removed, as CodeMeter communicates via USB HID on these devices.
  • CmPrivate: This partition can be set up on all CmStick/M and only becomes visible after a password has been entered or when the API “Enabling” feature is used. The partition can also be set as read-only. New CmStick/MI and /MC also offer AES encryption for the data in the flash memory.
  • CmCdRom: This partition can be configured on all CmStick/M. The host sees the partition as a CD-ROM with autostart capabilities. The user can neither delete nor change the data. Only the “Enabling” feature, managed via the API, allows data to be saved to and updated on this CmCdRom partition.
  • CmSecureDisk: This partition can be set up on all CmStick/M and CmCards. It enables block-by-block read or write access via the CodeMeter API and is not accessible by the host (PC) as a disc. This makes it particularly suitable for logging, black-box functionality, or the storing of confidential data. The read/write access is managed by the CodeMeter feature “Enabling”. The CmStick/MC and /MI can also be configured as pure USB-HID devices, making the stick not appear as a disc and protecting the system from any potential viruses or malware. The CmSecureDisk can only be accessed via the CodeMeter API and the CodeMeter Runtime working on the host system. CmSticks are generally protected from attacks like BadUSB that rely on manipulating the storage devices firmware, because the firmware of CodeMeter is signed for added security.

CodeMeter “Enabling”

The CodeMeter feature “Enabling” allows the use of a special access code to activate or deactivate the entire CmContainer or individual entries, not unlike a traditional latch. The various disc partitions are managed via product items in the IFI. By linking these product items with enabling blocks, the API controls which functions are available. Specifically, access to the disc configuration (PI 6), read access to the CmPrivate disc (PI 4), write access to the CmPrivate disk (PI 1), write access to the CmCdRom disc (PI 5), access to the CmSecureDisc (PI 7), and write access to the CmSecureDisk (PI 9) can be controlled. This makes for top flexibility and security, since the “Enabling Access Codes” are used with a challenge-response process.

Why are CmDongles with flash memory more expensive than consumer products?

Storage products are produced in immense numbers for the IT market. Be it storage for digital cameras and camcorders or USB drives for computers, millions and millions of devices are produced every day, equipped with extremely cheap MLC and TLC flash memory that saves multiple bits of data in each cell. Sophisticated controllers allow quality sufficient for private usage at unbeatably low prices. Every few weeks, a new, cheaper product enters the market.

CodeMeter and other storage devices used for industrial applications in control devices, medical technology, telecommunications devices, or routers are designed for long life and reliable performance over many years, coping with constant write access and complying with exacting quality standards. Unchanging electronic components and firmware guarantee that CmDongles continue to operate reliably, whatever the client’s application. Extensive qualification checks and EMC / environmental conformity tests promise top quality. All of this requires substantial and costly efforts, but pays off in the long run for the customer.

Use Cases

Wincor-Nixdorf uses the “CrypTA” stick to give its service technicians secure access to confidential documents and applications on the go. The system also relies on two-factor authentication with the CmStick/M’s password protection and records all log-in data. The forensic software made by Access Data and Guidance also relies on CmStick/M’s secure access to protected application and storage. With CODESYS, the source code can be protected in the development environment and transferred to the CmStick/M. Expansion APPs can be licensed online and used with a CmDongle connected to a PC. A VxWorks Embedded Development Kit published by Wind River uses a CmStick/M to boot the Eclipse-based development environment under Linux and provide CodeMeter functions for creating encrypted and signed applications. A CmCard/µSD is included in this kit to boot an embedded target system from a secure image.

Summary

CmDongles with integrated flash disc offer unique advantages with their versatile interfaces and flexible storage capacity, combined with the CodeMeter’s characteristic security. Contact our experts to learn how they can benefit your application.  

 

KEYnote 29 – Edition Spring 2015

Do góry