AT88SA102S-TH-T Datasheet AT88SA102S-TH-T, AT88SA102S-SH-T, AT88SA102S-TSU-T | P1-P3

Atmel AT88SA102S

Atmel CryptoAuthentication Product Authentication Chip

DATASHEET

Not Recommended for New Designs

Replaced by ATSHA204

Features

• Secure authentication and key exchange

• Superior SHA-256 hash algorithm

• Best in class 256-bit key length

• Guaranteed unique 48-bit serial number

• High speed single wire interface

• Supply voltage: 2.7V – 5.25V

• 1.8V – 5.25V communications

• <150nA sleep current

• Multi-level hardware security

• Secure personalization

• Green compliant (exceeds RoHS) 3-pin SOT-23 or 8-lead SOIC packages

Applications

• Authentication of replaceable items

• Software anti-piracy

• Network and computer access control

• Portable media player and GPS system

• Key exchange for encrypted downloads

• Prevention of clones for demo and evaluation boards

• Authenticated communications for control networks

• Anti-clone authentication for daughter cards

• Physical access control (electronic lock and key)

8584H−CRYPTO−9/2012

Atmel AT88SA102S [DATASHEET] 2

8584H−CRYPTO−9/2012

Figure 1. Pin Configurations

Pin name Function

SIGNAL Serial data, single-wire clock and data

GND Ground

VCC Power supply

1. Introduction

The Atmel

AT88SA102S is a member of the Atmel CryptoAuthentication family of cost-effective authentication chips

designed to securely authenticate an item to which it is attached. It can also be used to exchange session keys with some

remote entity so that the system microprocessor can securely encrypt/decrypt data. Each AT88SA102S chip contains a pre-

programmed serial number which is guaranteed to be unique. In addition, it has been designed to permit secure

personalization so that third parties can build devices containing an OEM secret without concern for the theft of that secret.

It is the first small standard product to implement the SHA-256 hash algorithm, which is part of the latest set of recommended

algorithms by the US Government. The 256-bit key space renders any exhaustive attacks impossible.

The CryptoAuthentication family uses a standard challenge response protocol to simplify programming. The system generates

a random number challenge and sends it to the AT88SA102S chip. The chip hashes that with a 256-bit key using the SHA-256

algorithm to generate a keyed 256-bit response which is sent back to the system.

The chip includes 128-single bit one time programmable fuses that can be used for personalization, status or consumption

logging. Atmel programs 40 of these bits prior to the chip leaving the factory, leaving 88 for user purposes. See Section 1.3 for

more information.

Note: The chip implements a failsafe internal watchdog timer that forces it into a very low power mode after a certain

time interval regardless of any command execution or IO transfers that may be happening at the time the timer

expires. System programming must take this into consideration. See Section 5.4 for more details

1.1 Usage

There are many different ways in which the AT88SA102S can add an authentication capability to a system. For more

information, see the “Atmel CryptoAuthentication Usage Examples” applications note.

In general, however, all these security models usually employ one of two general key management strategies:

• Fixed challenge response number pair stored in the host. In this case, the host sends its particular challenge and

only an authentic AT88SA102S can generate the correct response. Since no secret is stored on the host, there is no

security cost on the host. Depending on the particulars of the system, each host may have a different challenge

response pair and/or each client may have the same key.

• Host computes the response that should be provided for a particular client against a random challenge and/or

include the client ID number in the calculation. In this case, the host needs to have the capability to securely store

the secret from which diversified response will be computed. One way to do this is to use a CryptoAuthentication

host chip. Since each client is unique, the host can maintain a dynamic black list of clients that have been found to

be fraudulent.

GND

8-lead SOIC

VCC

SIGNAL

GND

VCC

SIGNAL

3-lead

Atmel AT88SA102S [DATASHEET] 3

8584H−CRYPTO−9/2012

1.2 Memory Resources

Fuse Block of 128-fuse bits that can be written through the one wire interface. Fuse[1] and Fuse[87] have

special meanings, see Section 1.3 for more details. Fuse[88:95] are part of the manufacturing ID value

fixed by Atmel. Fuse[96:127] are part of the serial number programmed by Atmel which is guaranteed to

be unique. See Section 1.4 for more details on the Manufacturing ID and Serial Number.

ROM Metal mask programmed memory. Unrestricted reads are permitted on the first 64-bits of this array. The

physical ROM will be larger and will contain other information that cannot be read.

ROM MfrID 2-bytes of ROM that specifies part of the manufacturing ID code. This value is assigned by Atmel and is

always the same for all chips of a particular model number. For the AT88SA102S, this value is 0x2301

(appears on the bus: 0x0123), ROM MfrID can be read by accessing ROM bytes 0 and 1 of Address 0.

ROM SN 2-bytes of ROM that can be used to identify chips among others on the wafer. These bits reduce the

number of fuses necessary to construct a unique serial number. The ROM SN is read by accessing

ROM bytes 2 and 3 of Address 0. ROM SN can always be read by the system and is optionally included

in the message digested by the MAC command.

RevNum 4-bytes of ROM that are used by Atmel to identify the model mask and/or design revision of the

AT88SA102S chip. These bytes can be freely read as the four bytes returned ROM address one,

however system code should not depend on this value as it may change from time to time.

1.3 Fuse Map

The AT88SA102S incorporates 128 one-time fuses within the chip. Once burned, there is no way to reset the value of a fuse.

Fuses, with the exception of the manufacturer ID and serial number bits initialized by Atmel have a value of one when shipped

from the Atmel factory and transition to a zero when they are burned. Bits 0-63 can never be read, while bits 64-128 can

always be read.

Table 1-1. The 128 Fuses in the Atmel AT88SA102S Chip are Arranged in the Following Manner

Fuse # Name Description

1 BurnFuse Enable If this fuse is one, then the BurnFuse command is enabled. If it is burned to zero, then

the BurnFuse command is disabled.

0 and 2  63 Secret Fuses These fuses can be securely written by the BurnSecure command but can never be

read directly with the Read command.

64  83 Status Fuses These fuses can be written with the BurnSecure command and can always be read

with the Read command. They are totally user-defined.

84  86 Status Fuses These fuses can be written with the BurnSecure command and can always be read

with the Read command. They are user-defined, but have special significance for the

Pause Long command. See Section 6.6.

87 Fuse Disable The MAC command ignores the values of Fuse[0-86] while this fuse is an one

Once it is burned to zero, the BurnSecure command is disabled.

88  95 Fuse MfrID See Section 1.4. Set by Atmel; cannot be modified in the field.

96  127 Fuse SN See Section 1.4. Set by Atmel; cannot be modified in the field.

BurnFuse Enable This fuse is used to prevent operation of the BurnFuse command in the application. This fuse may only

be burned to 0 using the BurnSecure command.

P1-P3 P4-P6 P7-P9 P10-P12 P13-P15 P16-P18 P19-P21 P22-P24 P25-P25

AT88SA102S-TH-T

Mfr. #:

Buy AT88SA102S-TH-T

Manufacturer:

Microchip Technology / Atmel

Description:

Security ICs / Authentication ICs 58951-Eb CryptoAuth SHA-256 GRN

Lifecycle:

New from this manufacturer.

Delivery:

DHL FedEx Ups TNT EMS

Payment:

T/T Paypal Visa MoneyGram Western Union

AT88SA102S-TH-T

AT88SA102S-TH-T

Products related to this Datasheet