1. Field
Various features relate to data authentication and particularly to message authentication code (MAC) tags for use with data stored in mobile computing devices.
2. Background
Data integrity/authentication can be provided in a data storage system by storing tags or hashes alongside the data, such as MAC tags. For example, a MAC tag may be generated for use with a data unit to be stored by applying a message authentication algorithm (MAA) to the secret key and the data. The data unit and the MAC tag are then stored in a storage device such as a memory device. When the data unit is subsequently read from storage, a new MAC tag is generated based on the retrieved data and the original secret key. If the new MAC tag differs from the stored MAC tag, the data unit is rejected as being corrupted. If the new MAC tag is the same as the stored MAC tag, the data is thereby authenticated and deemed trustworthy. However, if data is updated legitimately over time, an attacker could replace a valid (data unit, tag) pair in the storage device with an old (data unit, tag) pair. This is an example of a rollback attack. In particular, the problem can arise when data is stored in a relatively insecure storage device such as an off-chip storage that is external to a more secure System-on-a-Chip (SoC) processing circuit of the type used, e.g., in mobile wireless devices. Another form of attack such storage systems are susceptible to is a cut-and-paste attack in which an attacker substitutes a section of encrypted data with a section of encrypted data from another location with the hope that the resulting decrypted data will be identical when placed at the new location compared to the old location. Mitigation of these forms of attacks can be expensive because effective mitigation may require storage of state data in a secure storage such as within an on-chip storage. For example, in an extreme case, all the tags may be stored within a secure on-chip storage to completely prevent a rollback attack of data in off-chip storage. Such an implementation is impractical due to storage and performance requirements.
Therefore, there is a need to protect data integrity from various types of attacks.