USB Type-C Authentication Protocol announced

by Mark Tyson on 3 January 2019, 11:12

Tags: USB Implementers Forum

Quick Link: HEXUS.net/qad23v

Add to My Vault: x

The USB Implementers Forum (USB-IF) has announced an authentication program to help USB Type-C users avoid the risks associated with non-compliant and / or malicious USB peripherals. The USB Type-C Authentication Program was launched yesterday and is said to be an important milestone for the advancement and adoption of USB technology.

The press release and linked PDF document outlines the key characteristics of the USB Type-C authentication solution as follows:

  • A standard protocol for authenticating certified USB Type-C Chargers, devices, cables and power sources
  • Support for authenticating over either USB data bus or USB Power Delivery communications channels
  • Products that use the authentication protocol retain control over the security policies to be implemented and enforced
  • Relies on 128-bit security for all cryptographic methods
  • Specification references existing internationally-accepted cryptographic methods for certificate format, digital signing, hash and random number generation

In summary the optional security protocol allows OEMs to confirm the authenticity of USB chargers, cables and devices - before they exchange any power/data. The protocol will confirm the authenticity of a USB device, USB cable or USB charger, including such product aspects as the capabilities and certification status at the moment a physical connection is made. Such extra security will allow smartphone users, for example, to be more confident as they plug into a charging port in a public space.

Leading provider of TLS/SSL, PKI and IoT security solutions, DigiCert, will manage the PKI and certificate authority services. DigiCert was chosen as it has the technical expertise and scale required as the authentication body. It will surely be relishing the prospect of the payments that will flow when the USB Type-C Authentication Protocol is implemented.

Ahead of the above implementation, some companies have taken some steps to protect their devices from unauthorised wired connection issues. Google added the USBGuard security feature to Chrome OS in December to protect Chromebooks from USB access when the screen is locked, and Apple rolled out a similar feature in iOS 11.4.1, back in July.



HEXUS Forums :: 7 Comments

Login with Forum Account

Don't have an account? Register today!
yyyy? The google block for using USB while locked is nothing like certifying the devices for use… Am I missing a point ?
Prepare to throw out all the old chargers as they will not have the certificate installed, even they working just fine.
I don't get whats the point other than milking customers.
As above, I see no use in this other than to enable the locking down of hardware for the benefit of corporations. Business environments can already deploy various ways of ensuring unauthorised devices cannot be connected to their networked hardware.
So, Apple like cables … not good..not good at all

This could only be good if it is open and free standard for everyone to use (like web certificates), and if companies will not lock you in only using their cables on their devices ( so you hvae to pay 30 bucks for a 1m cable instead of 5)
TBH I kind of like the idea of authentication on hardware to ensure it does what it's supposed to do or works as intended.

I've seen plenty of reports of fried hardware when the cable wasn't up to the task and I've been seeing more reports where usb devices are being used to hack into hardware or pass on malware/virus programs etc.

As long as it's not used to jack up prices or restrict usage (in any way including drm based) like for example Apple and the lightning cable (which was basically just a glorified usb3 cable with a different socket) then I don't see an issue with an added level of protection/security this can offer.
EvilCycle
As above, I see no use in this other than to enable the locking down of hardware for the benefit of corporations. Business environments can already deploy various ways of ensuring unauthorised devices cannot be connected to their networked hardware.
How about de-authorizing a device/cable/charger after it's been used for a certain time period or amount of times?
…for the safety of the device, of course!