Detailed Description
The DS28E36 is a secure authenticator that supports
multiple asymmetric (ECC-P256) and symmetric (SHA-
256) security functions. In addition to the security services
provided by the hardware implemented ECC and SHA-
256 engines, the device integrates a FIPS/NIST true ran-
dom number generator (RNG), 8Kb of secured EEPROM,
a decrement-only counter, two pins of configurable GPIO,
and a unique 64-bit serial number. The ECC public/private
key capabilities operate from the NIST defined P-256
curve and include FIPS 186 compliant ECDSA signature
generation and verification for bidirectional asymmetric
key authentication. Additionally, through FIPS/NIST 800-
56B ECDH-based key agreement, the device supports
secure storage and host communication of sensitive
data, such as application-specific crypto keys that would
be used independently by a host processor. The SHA-
256 secret-key capabilities are compliant with FIPS 180
and are flexibly used either in conjunction with ECDSA
operations or independently for multiple MAC and HMAC
functions. Through the integrated RNG, the device further
enhances system crypto functionality with the ability to
supply FIPS-grade random numbers to a host processor
along with internal-only functions including nonce values
for ECDSA operation and optional generation of its ECC
private keys. Two pins of GPIO can be independently
operated under command control and include configu-
rability supporting authenticated and nonauthenticated
operation including an ECDSA-based crypto-robust mode
to support secure-boot of a host processor.
The DS28E36 integrates an 8Kb secured EEPROM array
to store keys, certificates, general-purpose data and
control registers. Multiple user-programmable protec-
tion modes exist for the general-purpose memory space
including open, ECDSA R/W authentication protection,
SHA-256 HMAC R/W authentication protected, and SHA-
256 one-time-pad (OTP) R/W encryption in conjunction
with an ECDH established key. With these options, gen-
eral-purpose memory can be flexibly configured to store
end application data ranging from nonsensitive calibration
constants to critically sensitive host-system crypto keys.
The DS28E36 also provides a dedicated 17-bit counter
that operates in a decrement-only mode to support appli-
cations where limited use requirements exist and must be
tracked. Once set and upon command, the device decre-
ments the counter value by 1. After the counter reaches a
value of 0, no additional changes are possible. To prevent
reply attacks, a read of the counter is performed with user-
selectable ECDSA or SHA-256 HMAC authentication.
The block diagram in Figure 1 shows the relationships
between the circuit elements of the DS28E36.
PIN NAME FUNCTION
1 N.C. No Connection
2 IO 1-Wire IO
3 GND Ground
4 PIOB General-Purpose IO
5 PIOA General-Purpose IO
6 CEXT Input for External Capacitor
— EP
Exposed Pad (TDFN Only). Solder
evenly to the board’s ground plane for
proper operation. Refer to Application
Note 3273: Exposed Pads: A Brief
Introduction for additional information.
N.C.
IO
GND
6 CEXT
5
PIOA
4
PIOB
TDFN-EP
(3mm x 3mm)
TOP VIEW
1
2
3
DS28E36
*EP
DS28E36 DeepCover Secure Authenticator
www.maximintegrated.com
Maxim Integrated
│
5
Pin Conguration Pin Description