Atmel ATSHA204
Atmel Cry pto Authenticati on Chip
DATASHEET
Features
• Secure authentication and validation device
• Integrated capability for both host and client operations
• Superior SHA-256 hash algorithm, HMAC option
• Best-in-class, 256-bit key length; storage for up to 16 keys
• Guaranteed unique 72-bit serial number
• Internal, high-quality random number generator
• 4.5-Kbit EEPROM for keys and data
• 512 OTP bits for fixed information
• Multiple I/O options
• High-speed, single-pin interface
• 1MHz I2C interface
• 2.0V – 5.5V supply voltage range
• 1.8V – 5.5V communications
• <150nA sleep current
• Extended, multi-level hardware security
• 8-lead SOIC, 8-lead TSSOP, 3-lead SOT23, and 8-pad UDFN packages
Applications
• Anti-clone protection for accessories, daughter cards, and consumables
• Secure boot validation, software anti-piracy
• Network and computer access control
• Key exchange for encrypted downloads
• Authenticated/encrypted communications for control networks
Figure 1. Pin Configurations
Pin Name
Function
SDA Serial data
SCL Serial clock input
GND Ground
VCC Power supply
8740C−CRYPTO−7/11
VCC
NC
SCL
SDA
NC
NC
NC
GND
4
3
2
1
5
6
7
8
8-lead UDFN
Bottom view
NC
NC
NC
GND
1
2
3
4
8
7
6
5
8-lead SOIC
VCC
NC
SCL
SDA
8-lead TSSOP
1
2
3
4
8
7
6
5
NC
NC
NC
GND
VCC
NC
SCL
SDA
3
2
1
GND
VCC
SDA
3-lead SOT23
Atmel ATSHA204 [DATASHEET] 2
8740C−CRYPTO−7/11
1. Introduction
The following sections introduce the f eatures and funct ions of the Atmel® ATSHA204 authentic ation chip.
1.1 Applications
The ATSHA204 i s a member of the Atmel CryptoAuthentication™ family of high-security hardware authentication devices. It
has a flexibl e c ommand set that all ows use for many applications, includin g the following:
• Anti-counterfeiting
Validate that a removable, replaceable, or consumable client is authentic. Example clients could be printer ink tanks,
electronic daughter cards, or other spare parts. It can also be used to validate a software/firmware module or
memory storage element.
• Protection for Firmware or Media
Validate code stored in flash memory at boot to prevent unauthorized modifications (aka secure boot), encrypt
downloaded media files, and uniquely encrypt code images to be usable on a single system only.
• Session Key Exchange
Securely and easily exchange stream encryption keys for use by an encryption/decryption engine in the system
microprocessor to manage such things as a confidential communications channel or an encrypted download.
• Secure Data Storage
Store secret keys for use by crypto accelerators in standard microprocessors. Can also be used to store small
quantities of data necessary for configuration, calibration, ePurse value, consumption data, or other secrets.
Programmable protection up through encrypted/authenticated reads and writes.
• User Password Checking
Validate user entered passwords without letting the expected value become known, map simple passwords to
complex ones, and securely exchange password values with remote system.
1.2 Chip Features
The ATSHA204 i nc ludes an electrically erasable programmable read-on ly memory (EEPROM) array that can be used for
storage of keys, miscella neous read/write, read-only or secret dat a, consumption logging, and sec urity configuration. A c cess
to the various sections of memory can be rest ricted in a variety of ways and t he configuration then locked to prevent changes.
See Section 2.1, “EEPROM Organization,” for more detai ls on the EEPROM organizat ion.
The ATSHA204 features a wide arr ay of defensive mechanism s specifically designed t o prevent physical attac ks on the chip
itself or logical attacks on the data transm i tted between the chip and the system. S ee S ection 3.4, “Securit y Featur es,” for
more details. Hardware restrictions on t he ways in which keys are us ed or generated, described in Section 3.3, “Key Values,”
provide further defense ag ai nst certain styles of attac k.
Access to the c hip i s through a standard I2C interface at speeds up to 1Mbit/sec (See Section 6 for details on this interface). It
is compatible with standard serial EEPR OM I2C interface specificati ons . The chip also supports a single-wire interface that can
reduce the num ber of GPIOs required on the system processor and/or reduc e the number of pi ns on connectors. The single-
wire interfac e is described in more detail in Section 5, “Single-wire Int er face.”
Using either the I2C or single-wire int erface, multiple ATSHA204 c hips can share t he same bus, which saves processor GPI O
usage in systems with multiple clients s uc h as different color ink tanks or multiple spar e parts. See Section 4.2, “Sharing the
Interface,” and Section 8.10, “Pause Comma nd,” for more details on the way in which this i s i m pl em ented.
Each ATSHA 204 s hips with a guaranteed unique 72-bit seri al number. Using the cryptographic protocols supported by the
chip, a host system or remote server can pro v e that the serial number is both authentic and not a copy. Serial numbers ar e
often stored i n a standard seri al E EPROM, but t hes e can be easily copied, and there is no way for the host to know if the serial
number is auth entic or a clone.
The Atmel ATSHA204 can gener ate high-quality random numbers and employ them for an y purpose, including as part of the
crypto protocols of this c hi p. Because eac h 256-bit random number is guaranteed to be unique from all numbers ever
generated on thi s or any other c hip, their inclusion in the pr otocol calcul ation ensures that replay attacks (re-t r ansmitting a
Atmel ATSHA204 [DATASHEET] 3
8740C−CRYPTO−7/11
previously successful transaction) always fail. Further information is found in Section 3.4.2, “Random Nu mber Generator,” and
Section 8.11, “Random Command.”
System integration is eased with a wide supply voltage r ange (2.0V thr ough 5.5V) and an ultra-low sleep current of <100nA.
Complete DC par ameters are found in Secti on 7, which describes multipl e package options, including a tiny SOT23 package
with a footpri nt of only 2.5mm x 3mm . See Section 11, “Package Drawings,” for m or e details and order ing codes.
See Section 9, “Compatibility,” for informat ion regarding c ompatibilit y with the Atmel AT88SA102S and Atmel AT88SA10HS,
previous members of the Atmel CryptoAuthentication f am i ly.
1.3 Cryptographic Operation
The ATSHA204 supports a standard challenge-response protocol to sim plify progr am ming. At i ts most basic, the hos t system
sends a challenge to the chip in the client, which combines that challenge with a secret key via the MAC command from the
system, described in Section 8.8, “MAC Command,” and sends the r esponse back t o the system. The chip uses a
cryptographic hash algor i thm for the combination, which prevents an observer on the bus from deri v i ng the value of the secret
key, but allows the recipient to verify th at the response is correct by performing the same calcul ation (combining the challenge
with the secr et) with a st or ed copy of the secret.
Due to the flexible command set of the ATS H A 204, however, this basic operation can be expanded in many ways. Using the
GenDig command (Section 8.5, “GenDig Command”) the v alues in other slots can be incl uded in the response digest, whic h
provides an ef fective way of proving that a data read real ly did come from the chip, as op posed to being inserted by a man-in-
the-middle attacker. This same command can be used to combine two keys with the challenge, which is useful when there are
multiple laye rs of authentic ation to be performed.
The DeriveKey command (Sec tion 8.3, “DeriveK ey Command”) implements a key rolling scheme. Depending on the com m and
mode paramet er , the resulting operation can be similar to that implemented in a remote-controlled garage door opener . Each
time the key is us ed, the curre nt value of the key is cryptographically combined with a value specific to that s ystem , and the
result forms the key for the next cryptographic operation. E v en i f an attacker gets the value of one key, that k ey will be gone
forever with the next use.
DeriveKey can also be used to generate new random keys that mi ght be valid onl y for a particul ar host ID, for a par ticular time
period, or for some other restricted environment. Each generated key is different from any other key ever generated on any
chip. By “activating” a host-client pair in the field in this manner, a clone of a single c l ient would not work on any other host.
In a host-client configuration where the hos t (for instance, a mobile phone) needs to ver i fy a client (for instance, an OE M
battery), t here is a need to store the secret in the host in order to valid ate the response from the clie nt. The CheckM ac
command (Section 8.2, “CheckMac Command”) allows the chip to securely store the client s ec ret and hide the c orrect
response value from the pins, returning only a yes/no answer to the system .
Where a user-entered password is a requirement, the CheckMac c ommand also provi des a way to both verify th e password
without exposing it on the communications bus as well as map t he password to a s tored value t hat can have muc h higher
entropy. See S ection 3.3.6 f or more details.
Finally, the h ash combination of a chall enge and secret key can be kept on the chip and X ORed with the contents of a slot to
implement an encrypted rea d (Section 8.12, “Read Comma nd” ) , or it can be XORed with encrypted input dat a to implement
an encrypted write (Section 8.14, “Write Com m and”).
Each of these operations can be protected against replay attacks by including a ran dom nonce (Section 8.9, “Nonce
Command,”) in the calculat ion.
All security f unctions are im plemented using the industry-stand ard SHA-256 secure hash algorithm, which is part of the latest
set of high-security cryptographic algori thms recommended by various governments and cryptographic expert s. Section 3.1,
“SHA-256,” includes a reference to the algorithm details. If desired, the SHA-256 algorithm can also be included in an HMAC
sequence (See Section 3.2, “HMAC/SHA-256,” and Section 8.6, “HMAC Command”). The AT SHA204 employs full-sized, 256-
bit secret keys to prevent an y ki nd of exhausti v e attack.
Atmel ATSHA204 [DATASHEET] 4
8740C−CRYPTO−7/11
2. Chip Organization
The chip contains the following memory blocks:
• EEPROM
• SRAM
2.1 EEPROM Organization
The EEPROM contains a total of 5312 bits, and i s di vided int o the following zones:
• Data
A 512-byte (4Kbit) zone split into 16 general-purpose, read-only, or read/write memory slots of 32 bytes (256 bits)
each that can be used to store keys, calibration data, model number, or other information related to the item to which
the Atmel ATSHA204 chip is attached. The nomenclature slot[yy] indicates the 32-byte value stored in slot yy of the
data zone.
• Configuration
An 88-byte (704-bit) zone that contains serial number and other ID information as well as access permission
information for each slot of the data memory. The nomenclature SN[a:b] indicates a range of bytes within a field of
the configuration section.
• OTP
A 64-byte (512-bit) zone of one-time programmable (OTP) bits. Prior to locking the OTP zone, the bits may be freely
written using the standard Write command. The OTP zone can be used to store read-only data. The nomenclature
OTP[bb] indicates a byte within the OTP zone, while OTP[aa:bb] indicates a range of bytes.
Within this document, the ter m s “slot” and “block” are used interchangeabl y t o mean a single, 256-bit (32-byte) area of a
particular memory zone. The different zones are broken down as follows:
• Data Section
16 slots (512 bytes/32 bytes = 16)
• Configuration Section
Three blocks (88 bytes/32 bytes = 3)
The 88 bytes are accessible from within a three-block address space
• OTP Section
Two blocks (64 bytes/32 bytes = 2)
Each slot or bloc k has potenti ally different access permiss ions.
Note: The industr y SHA-256 documentation uses the term “block” to indicate a 512-bit sect i on of the message input. In
addition, the I /O section of t hi s document uses the term “block” to indicate a v ariable-length aggregate element
transferred b etween the system and the chip.
Many sections of this document refer to a keyID, which is equivalent to the sl ot number for t hos e slots design ated to hold key
values. Ke y #1 (sometimes referred to as key[1]) is stored in Slot[1], and so on. While a ll 16 slots can potentially hold keys,
those slots for whi c h clear rea ds are permitted would not nor m al ly be used as keys by the crypto commands.
In this specification, the nomenclature mode:b ind i c ates bit b of the parameter mode.
On shipment f rom Atmel, the E E PROM contains factory test data that can be used for fixed-va lue board testing. This data
must be overwritten with the d esired contents prior to locking the configuration and/or data secti ons of the chip. See the Atmel
website for the document containing the specif ic shipment values.
Atmel ATSHA204 [DATASHEET] 5
8740C−CRYPTO−7/11
2.1.1 Configuration Zone
The 88 bytes in the configuration zone conta in manufacturing identification data, general chip and system c onfiguration, and
access restriction control values f or the slots within the data zone. The values of these bytes can always be obtained using the
Read command. The bytes of this z one are arranged as shown in Table 2-1.
Table 2-1. Configuration Zone
Byte # Name Description Write Read
0 3 SN[0:3] Part of the serial num ber value
See the Section 2.1.1.2, “Special Memory V al ues in the Co nfig Zone” Never Always
4 7 RevNum Chip r ev i s ion number
See the Section 2.1.1.2, “Special Memory V al ues in the Co nfig Zone” Never Always
8 12 SN[4:8] Part of the serial number valu e
See the Section 2.1.1.2, “Special Memory Values in the Config Zone” Never Always
13 Reserved Set by Atmel Never Always
14 I2C_Enable Bit 0:
0 = the chip operates in single-wire interface mode
1 = the chip operates in I2C interfac e m ode
Bits 1-7 are ignored:
These bits are set at the Atmel factory, depending on the p ar t
number, and c annot be changed
Never Always
15 Reserved Set by Atmel Never Always
16 I2C_Address Bit 0: I gnored
Bits 1-7: For I2C interface parts, t he m ost-significant seven bits of this
byte form the dev ice address value to which t his chip will res pond.
Bits 1, 2, and 4-7 are ignored for single-wire interface parts .
Bit 3 (TTLenable):
1 = the input lev els are VCC referenced
0 = the input lev els use a fixed reference
See Section 7.4.1 for more informatio n
If config
unlocked Always
17 RFU Reserv ed for future use, m ust be writte n to 0x00 If config
unlocked Always
18 OTPmode 0xAA (Read-only mode) = W rit es to the OTP zone are f orbidden
when the OTP zone is locked. Reads of all words ar e permitt ed
0x55 (Consumption mode) = Not supported at this time
Contact Atmel for more information
0x00 (Legacy mode) = When the OTP zone is locked, writes to the
OTP zone, reads of words 0 and 1, an d 32-byte reads are all
forbidden. See Section 9 for more information on compati bi lity with
the Atmel AT88SA102S device
All other values of OTPmode ar e reserved, and should not be us ed
If config
unlocked Always
19 SelectorMode If 0, then Selec tor can always be written with UpdateExtra. I f non-
zero, Selector can only be written if it c urrently has a val ue of zero
See Section 8.13 for more details
If config
unlocked Always
20 51 SlotConfig Two bytes of acc ess and usage permissions and controls for each
slot of the data zone. See the SlotConfig (byt es 20 – 51) section
below for more details.
If config
unlocked Always
Atmel ATSHA204 [DATASHEET] 6
8740C−CRYPTO−7/11
Byte # Name Description Write Read
52,54,56,58
60,62,64,66 UseFlag For “single use” keys (Section 3.3), this byte indicates how many
times a key ma y be used before s uc h use is disabled. Applies to
keys #0-7 only (byte 52 corresponds to Ke y0, 54 to Key1, an d so on).
Initialized t o 0xFF.
See Section 3.3
If config
unlocked Always
53,55,57,59
61,63,65,67 UpdateCount For keys that can be updated with DeriveK ey, these b ytes indicate
how many times this operation has been performed. Applies to keys
#0-7 only, (byt e 53 c orresponds to Key0, 55 t o Key1 and so on)
Initialized t o 0x00
See Sections 3.3 and 8.2
If config
unlocked Always
68 83 LastKeyUse 128 bits to control limited use for KeyID 15
Initialized t o 0xFF
See Section 3.3
If config
unlocked Always
84 UserExtra 1-byte value th at can be modif ied via the UpdateExtra command
after the data zone has been l oc ked Via
update
extra
cmd only
Always
85 Selector Selects which chip will remain in active m ode after t he execution of
the pause com m and
See Sections 8.10 and 8.13 f or more details
Via
update
extra
cmd only
Always
86 LockValue Controls the ability to write the OTP and data zones
0x55 = unlocked
0x00 = locked
On shipment f rom Atmel, this byte has a valu e of 0x55 corre s ponding
to the “unlocked” state. A fter the lock command has been r un, this
byte will have a value of 0x00, correspondin g to “locked”
See Sections 2.1.2 and 8.7 for more details
When locked, the OTP zone can be mo di fied only with the Write
command, and s l ots in the data zone c an be modifi ed only if the
corresponding WriteConfig field so ind i c ates.
When unlocked, the Read com m and i s prohibited within thes e two
zones
Via lock
command
only
Always
87 LockConfig Controls the ability to mo di fy the configuration zone
0x55 = unlocked
0x00 = locked
On shipment f rom Atmel this byte has a value of 0x55 corresponding
to the “unlocked” state. A fter the lock command has been run, this
byte will have a value of 0x00, correspondin g to”locked”
See Sections 2.1.2 and 8.7 for more details
Via lock
command
only
Always
Atmel ATSHA204 [DATASHEET] 7
8740C−CRYPTO−7/11
2.1.1.1 SlotConfig (bytes 20 – 51)
The 16 SlotCo nfig elements a re used to configure the access protections for each of the 16 s l ots within the A TSHA204. E ach
configuration element consists of 16 bits , which control the usage and ac cess for that particular slot/key. The SlotConfig field is
interpreted according to t he followin g table when the data zone is locked. When the data zone is unlocked, these restrictions
do not apply — al l slots may be freely written, and none may be read.
Table 2-2. SlotConfig Bits (per slot)
Bit #
Name
Description
0 3 ReadKey Use t hi s keyID to encrypt data being r ead from this slot using the read command. If zero,
then this slot can be the sour c e for the CheckM ac copy operation (see Sect ion 3.3.6). See
the descripti on for bit 6 in this table, the Read command description in Sec tion 8.12, a nd
Table 2-3 for mor e details.
Note: Do not use zero as a defa ult. Do not set this field to zero unless the CheckMac
copy operation is explicitly desired, regar dless of an y oth er read/ write restrictions
4 CheckOnly 1 = The key stored in the slot can be us ed only for Chec k Mac command. It can also be
used for GenDig if the subsequent use of TempKey is CheckMac. The key cannot be
used by any ot her command, eit her directly a s KeyID in the input parameter li s t or via
TempKey.
0 = The key stored i n the slot can be used by all crypto commands
5 SingleUse 1 = The key stored in the slot is “single us e.” See Sec tion 3.3 for m ore details
Ignored for keys in slots 8-14
0 = There are no usage limitations
6 EncryptRead 1 = Reads from this slot will be encrypted usi ng the procedure specified in t he Read
command desc ription (Sect ion 8.12) usin g R eadKey (bit s 0 – 3 in this table) to
generate the encryption ke y. N o input MAC is r equi red. If this bit is set, then I s Secret
must also be set (see also Table 2-3)
0 = Clear text reads may be permitted
7 IsSecret 1 = The contents of this slot are s ecret: Clear text reads are pro hibi ted, and bo th 4-byte
reads and writes are prohibited. This bit must be s et if EncryptRead is one or if
WriteConfi g has any value other than <Always> to ensure proper operation of the chip
0 = The contents of this slot should not conta i n confidential data or ke ys
See Table 2-3 for additional i nformation
8 11 WriteKey Use this key to validate and encrypt data written to t his slot
See Section 8.14 for addit ional information
12 15 WriteConfig Controls the ability to modify the data in this s lot
See Table 2-4 and S ection 8.14 for additional informat ion
Atmel ATSHA204 [DATASHEET] 8
8740C−CRYPTO−7/11
Read operations depend on the state of IsS ec ret and EncryptRead according to the followi ng table:
Table 2-3. Read Operation Permissio n
IsSecret EncryptRead Description
0 0 Clear text reads are always permitted from this slot
Slots set to this state should never be used as key storage
Either 4 or 32 bytes may be read at a time
0 1 Prohibited. No security is guaranteed f or slots using t his code
1 0 Reads are nev er permitted from this slot
Slots set to this state can st il l be used for key storage
1 1 Reads from this s l ot are encrypted us ing the encryption algor ithm documented in the Read
command desc ription (See Section 8.12)
The encrypti on key is in the slot specified by ReadKey. 4-byte reads and writes are prohibited
The 4-bit Wri teConfig field is interprete d by the Write and D er i v eKey commands as shown in Table 2-4 and Table 2-5, where X
means “don’t care.”
Note: The tables overlap. For example, a code of 0110 indicates a s l ot that can be written in encrypted form us i ng the
write command and also can be the target of an unaut horized DeriveKey command with the target as the source
Table 2-4. Write Configuration Bits – Write Command
Bit 15
Bit 14
Bit 13
Bit 12
Mode Name
Description
0 0 0 X Always Cl ear text writes are always p ermitted on this slot. Slots set to
“always” should never be used as key storage. Either 4 or 32 bytes
may be written to this slot
0 0 1 X Never Writes are never permitted on this slot using the Write command
Slots set to “never” can still be used as key storage
1 0 X X Never Writes are never permitted on this slot using the Write command
Slots set to “never” can still be used as ke y storage
X 1 X X Encrypt Writes to this slot require a properly computed MAC, and the input
data must be encrypted by the system with Wri teKey using the
encryption algorithm documented in the Write command description
(Section 8.13). 4-byte writes to this slot are prohibited
Table 2-5. Write Configuration Bits – Derivekey Command
Bit 15
Bit 14
Bit 13
Bit 12
Source Key
(1)
Description
0 X 1 0 Target DeriveKey command c an be run with out authorizin g M AC (Roll)
1 X 1 0 Target Author i zing MAC required for Deriv eKey command ( Roll)
0 X 1 1 Parent DeriveKey command c an be run with out authorizing MAC (Cr eate)
1 X 1 1 Parent Authorizing MAC r equired for Deri v eKey command ( C reate)
X X 0 X – Slots with this val ue in the WriteConfig field may not be used as the
target of the Deri v eKey command
Note: 1. The source key for the c omputation per formed by the DeriveKey com m and can eith er be the key direct ly
specified in Param2 (the “Target”) or the key at slotConfi g[Param2].WriteKey (the “Parent”)
See Section 3.3 for more details
Atmel ATSHA204 [DATASHEET] 9
8740C−CRYPTO−7/11
The IsSecr et bit controls int ernal circuitry necessary for proper security for slots in whic h Reads and/or Wr ites must be
encrypted or are prohibite d altogether. It must also be set for all slots that are to be used as keys, including those c reated or
modified with DeriveKey. S pecifically, to enable proper chip operation, this bit must be set unless WriteConfig is “always.”
4-byte accesses are prohibited to/from sl ots in which this bit is set.
Slots used to store key values should always have IsSec r et set to one and Enc ryptRead set to zero (reads prohibited) for
maximum security. For fixed key values, WriteConfig should be set to “ nev er.” When configured in this way, there is no way to
read or write t he k ey after the data zone is locked – it may onl y be used for crypto operations.
Some security policies re qui re that s ec rets be updated fr om time to time. The ATSHA204 supports this capability in the
following way: WriteConfig for the partic ular slot shoul d be set to “Encrypt” and SlotC onfig.WriteKey should point back to the
same slot by s etting WriteKey to the slot ID. A standard Write command can be then used to write a new value to this slot
provided that the authentication MAC is computed using the old (curr ent) key value.
2.1.1.2 Special Memory Values in the Config Zone (Bytes 0 – 12)
Various fixed informatio n is included in t he ATSHA204 that can never be written under any circumstances and can always be
read, regardl ess of the st ate of the lock bits .
• SerialNum
Nine bytes (SN[0:8]) which together form a unique value that is never repeated for any chip in the
CryptoAuthentication family. The serial number is divided into two groups:
1. SN[0:1] and SN[8]
The values of these bits are fixed at manufacturing time in most versions of the A tmel ATSHA204. Their
default value is 0x01 23 EE. These 24 bits are always included in the SHA-256 computations made by the
Atmel ATSHA204
2. SN[2:3] and SN[4:7]
The values of these bits are programmed by Atmel during the manufacturing process and are different for
every die. These 48 bits are optionally included in some SHA-256 computations made by the Atmel
ATSHA204
• RevNum
Four bytes of information that are used by Atmel to provide manufacturing revision information. These bytes can be
freely read as RevNum[0:3], but should never be used by system software, as they may vary from time to time.
2.1.2 Chip Locking
There are two separate lock states for the chip:
1. One to lock the configuration zone (controlled by LockConfig, byte 87)
2. Second to lock both the OTP and data zones (controlled by LockValue, byte 86)
These lock bit s are stored within s eparate byt es in the configuration zone, and can be modified only through the Lock
command. Af ter a memory zone is loc ked, ther e is no way to unloc k it.
The chip should be personalized at the system manufact urer with the desired configuration information, aft er which the
configuration zone shou l d be locked. When this lock is complete, all necessary writes of public and secret information into the
EEPROM slots should be perfor med, using encrypted writes if appropriate. Upon com pletion of any writes, the data and OTP
sections should be locked. Contact Atmel for optional secure personalization services.
It is vital t hat the data and OTP s ections be locked prior to releas e of the system containing the chip into the field. Failure to
lock these zones may permit modification of any secret keys and may lead to other sec ur ity problems.
Any attempt to read or write t he data or OTP sect i ons prior to locking the configuration section causes t he chip to return an
error.
Atmel ATSHA204 [DATASHEET] 10
8740C−CRYPTO−7/11
2.1.2.2 Configuration Zone Locking
Certain bytes within the configuration zone cannot be modified, regar dless of t he s tate of LockConfig. Access t o the remainder
of the bytes withi n the zone is controlled using the LockValue byte in the configuration z one, as sho wn in the followin g table.
Throughout this document, i f LockConfig is 0x55, the configuration zone is said to be unlocked; otherwise it is locked.
Table 2-6. Configuration Zone Lock ing
Read Access
Write Access
LockValue == 0x55 (unlocked) Read Write
LockValue != 0x55 (locked) Read <never>
2.1.2.3 Data Zone Locking
Throughout this document, if LockValue is 0x55, then both the OTP and data zones are sai d to be unlocked; otherwise they
are locked.
Note: There is neither read nor writ e access to the OTP and data zones prior to lock i ng of the configuration zone.
Table 2-7. Data z one access restrictions
Read Access Write Access
LockValue == 0x55 (unlocked) <never> Write
LockValue != 0x55 (locked) Read Write**
2.1.2.4 OTP Zone Locking
Reads and writes of the OTP zone depend on the state of the LockConfig, LockValue, and OTPmode byt es in the
configuration zone. See Section 2.1.3 for more information.
2.1.3 One Time Programmable (OTP) Zone
This zone of 64 bytes (512 bit s) is part of the EEP R OM array, and can be used for rea d-only storage or consumption l ogging
purposes.
Prior to locking the confi guration section (using lockConfig), the OTP zone is inac cessible and can be neither read nor written.
After configur ation locking, but prior to locking of the OTP zone (using lockValue), the entire OTP zone can be writ ten using
the Write command. If desire d, the data to be written can be encrypted. When unlocked, this zone canno t be read at all.
Once the OTP zone is locked, the OTPmode byte in t he configurat i on z one controls the permiss i ons of this zone, as follows:
• Read-only Mode
In this mode, the data cannot be modified, and would be used to store fixed model numbers, calibration information,
manufacturing history, or other data that should never change. The Write command will always return an error and
leave the memory unmodified.
All 64 bytes within the OTP section are always available for reading using either 4- or 32 -byte reads.
• Consumption Mode
This mode is not currently supported. Contact Atmel for further information.
• Legacy Mode
In this mode, the operation of the OTP zone is consistent the fuse array on the Atmel ATSA102S. Reads of words
zero and one are always prohibited, while reads of the remaining 14 words are always permitted. Only 32-bit reads
are permitted, and any attempt to execute a 256-bit read will result in an error return code. All write operations to the
OTP zone are prohibited. See Section 9 or more of the Atmel ATSA102S compatibility details.
All OTP zone b its have a value of one on shipment from the At m el factory.
Atmel ATSHA204 [DATASHEET] 11
8740C−CRYPTO−7/11
2.2 Static RAM (SRAM)
The chip includes an SRAM array that is used to store the input command or output result, intermediat e c omputation va lues,
and/or an ephe meral key. The entire contents of this mem ory are always i nvalidated whenever the ch i p goes into sleep mode
or the power is removed. T he ephemeral ke y i s named TempKey, and can be used as an input to the MAC, HMAC,
CheckMac, GenDig, and DeriveKey comma nds. It is also used as the data protec tion (encryption or decryption) key by the
Read and Write commands. See below for mor e details on TempKey.
2.2.1 TempKey
TempKey is a s torage register in the SRAM array that can be used to store an ephemeral result value from the Nonce or
GenDig commands. The cont ents of this register can never be r ead from the chip (although the chip itself can read and use
the contents internally).
This regist er contains the el ements shown in Table 2-8.
Table 2-8. TempKey Storage Reg ister
Name Length Description
TempKey 256 b i ts
(32 bytes) Nonce (from nonce command) or Digest (from GenDig command)
KeyID 4 bits If TempKey was generated by GenDig (see the GenData and CheckFlag bits), these bits
indicate which key was used in its computation. The four bits represent one of the slots of
the data zone
SourceFlag 1 bit The s our ce of the randomness in Tem pKey:
0 = Internall y generated random number (Rand)
1 = Input seed only, no internal r andom generat ion (Input)
GenData 1 bit 0 = TempKe y.KeyID is not meaningful, and is i gnored
1 = The contents of TempKey were generated by GenDig using one of the slots in the data
zone (and Tem pK ey.KeyID will be meaningf ul)
CheckFlag 1 bit If 1, the contents of T em pKey were generated by the GenDig command and at least one of
the keys used in that generation is restric ted to the CheckMac command
(SlotConfig.CheckOnly is 1). Otherwise, this bit will be 0.
Valid 1 bit 0 = The inform ation in TempK ey is invalid
1 = The information in TempK ey is valid
In this specification, the name “Tem pKey” refers to the c ontents of the 256-bit data register. The r em aining bit fields a re
referred to as TempKey.SourceFlag, TempKey.GenData, and so on.
The TempKey.Valid bit is cl eared to zero under any of the following circumstances:
• Power up, sleep, brown out, watchdog expiration, or tamper detection. The contents of TempKey, however, are
retained when the chip enters idle mode
• After the execution of any command other than Nonce or GenDig, regardless of whether or not the command
execution succeeds. It may be cleared by the CheckMac command unless a successful copy takes place. It is not
cleared if there is a communications problem, as evidenced by a cyclic redundancy check (CRC) error
• An error during the parsing or execution of GenDig and/or Nonce
• Execution of GenDig replaces any previous output of the Nonce command with the output of the GenDig command.
Execution of the Nonce command likewise replaces any previous output of the GenDig command
Atmel ATSHA204 [DATASHEET] 12
8740C−CRYPTO−7/11
3. Cryptographic Information
The ATSHA204 i m plements a challenge-response protocol using either SHA-256 or HMAC/SHA-256, details of which are
below. The response is always a 256-bit digest.
The Nonce com mand (see Section 8.9) accepts an input chall enge from the s ystem and optionally combines it with an
internally g enerated ran dom number to generate a nonce (n umber used once) for the calculation. This seed is then c ombined
with a secret key as part of the authentication calculat i on for any of the crypto commands (MAC, H M AC, Read, Write, or
GenDig). For compatibil ity reasons, the input challenge may be passed directly to the MAC comm and; however, this operation
is deprecate d.
The chip can guar antee the uniq ueness of the Nonce onl y if the chip has incl uded the output of its random number generator
in the calcul ation, because the system input may or may no t be unique. Every random Nonce is guaranteed to be uni que when
compared to al l pr evious nonc es , ensuring th at each transaction is uniq ue over all tim e.
3.1 SHA-256
The ATSHA204 MAC command calculates the digest of a secret key concatenated with t he challenge or nonce. It opti onally
includes var ious other pieces of informat i on stored on the chip within th e digested mess age.
The ATSHA204 computes the SHA-256 diges t based on the algor ithm documented here:
http://csrc.nist.gov/publications/fips/fips180-2/fips180-2.pdf
The complete SH A-256 message processed by the ATSHA204 is listed in Sections 8.5 and 8.9 for each of the particular
commands (GenD ig and Nonc e) that use the algorithm. Most s tandard software implement ations of the algorithm
automatically add the appro pr iate number of pad and length bits to this m es sage to match t he operation the c hip performs
internally.
The SHA-256 algorithm is also used for encryption by taking the output digest of the hash algorithm an d XO Ring it with the
plain text data to produce the ciphertext. Decryption is the reverse – t he ciphertext is XORed with the digest, and the result is
the plain text.
3.2 HMAC/SHA-256
The response to the challenge can also be co mputed using t he H M AC algorithm bas ed on SHA-256 documented here:
http://csrc.nist.gov/publications/fips/fips198/fips-198a.pdf
Because of the increased computation com plexit y, the HMAC command is not as flexible as the MAC command and the
computation t ime for HMAC is extended. While the HMAC sequence is not necessary to ensure the security of the digest , it is
included for compatibility with various software packages.
3.3 Key Values
All keys with in the CryptoAuthenticat ion family are 256 bits long. The ATSHA204 uses these keys as part of the mes s ages
hashed with t he MAC, CheckMac , HMAC, and GenD i g c ommands. An y slot in the d ata zone of the EEPROM can be used t o
store a key, th ough the value will be secret only if the read and write permissions are pr operly set wit hin SlotConfig (including
the IsSecret bi t).
Except for the GenDig command, all but the l eas t-significant four bits of the KeyID parameter are ignored in determining the
source of key data. Only the least-signif i c ant four bits are used to select one of the slots of the data zone. S ee Section 3.3.7,
below, for inf ormation on how GenDig uses other KeyID values.
In all cases for which a SHA-2 56 calculation is performed using Param2, t he entire 16-bit KeyID as input i s i nc l uded in the
message.
Atmel ATSHA204 [DATASHEET] 13
8740C−CRYPTO−7/11
3.3.1 Diversified Keys
If the host or validating entity has a place to securely store secrets, the key values stored in the EEPROM slot(s) can be
diversified with the serial number embedded in the chi p (SN[0:8]) . In this manner, every client c hip can have a unique key,
which can prov ide extra protection agains t known plaint ext attacks and permit compromi s ed serial numbers to be identif ied
and blacklisted.
To implement this, a root secret is externally combined with the chip ser ial number duri ng personaliz ation using some
cryptographic algorithm and the result written to the ATSHA204 key slot.
The ATSHA204 C hec kMac comman d provides a mech anism of sec urely generating and compar ing diversif ied keys,
eliminating this requirem ent from the host system.
Consult the fol lowing application note for more detail s :
http://www.atmel.com/dyn/resources/prod_documents/doc8666.pdf
3.3.2 Rolled Keys
In order to prev ent repeated use of the same key value, the ATSHA204 supports k ey rolling. Normally, a fter a certain n um ber
of uses (perhaps as few as one), the current key value is replaced with the SHA-256 digest of its current value combined with
some offset, which may either be a constant, something related to the current system (for example, a serial number or m odel
number), or a random number.
This capabil ity is implemented using the DeriveKey com mand. Prior to execution of the DeriveKe y command, the No nce
command mus t be run to load the offset into TempKey. Eac h time the roll operation is pe r formed on slots 0-7, the
UpdateCount field for that s l ot is incremented.
One use for thi s capability is to permanently remove the original key from the device, r eplacing it with a key that is only useful
in a particular environment. After the key is rolled, there is no possi bl e way to ret r i ev e the old value, which improves the
security of t he system.
Note: Any power interruption during the execution of the DeriveKey command in Roll mode may cause either the k ey
or the UpdateC ount to have an unknown value. If writing t o a s l ot is enabled using bit number 14 of SlotConfig,
such keys can be written in enc rypted and aut henticated form using the Write command. Alternatively, multiple
copies of the key can be stored in multiple slot s so that failur e of a single slot does not incapacitate the system.
3.3.3 Created Keys
In order to suppor t unique ephemeral keys for ev ery client, the ATSHA204 also supports key creation. In this mechanism, a
“parent” key (specified b y slotConfig.writeKey) is com bined with a fixed or random nonce to create a unique key, which is then
used for any cryptographic pu rpose.
The ability to create unique k eys is especi ally useful if t he parent key has usage restrictions (see “Single-use Keys” and
“Limited-use Ke y” i n the following sections). In this mode, the limited use parent ke y can be employed to create an unli m i ted
use child key. B ecause the child key is useful only for this particular hos t-client pair , attacks on its value are less valuable.
This capabil ity is also implemented using the DeriveKey command. Prior to executi on of the DeriveKey command, the Nonce
command mus t be run to load the Nonce value int o TempKey. Each time the create operation is performed on slots 0-7; the
UpdateCount field for that s l ot is incremented.
3.3.4 Single-use Keys
For the KeyID v al ues corresponding to slots 0-7 i n the data section of the EEP R OM, repeated us age of the key stored in the
slot can be strictly limited. This feature is enabled if the SingleUse bit is set in the S l otConfig field. The SingleUse bit is ignored
for slots 8-14. The number of rem aining uses is stored as a bit map in the UseFlag b yt e corresponding to the slot in q uestion.
Prior to execution of any cryptographic command that uses this slot as a k ey, the following takes plac e:
• If SlotConfig[keyId].SingleUse is set and UseFlag[KeyID] is 0x00, the chip returns an error
• Starting at bit seven of UseFlag[keyID], clear to zero the first bit that is currently a one
Atmel ATSHA204 [DATASHEET] 14
8740C−CRYPTO−7/11
In practice, this procedure permits SingleUse keys to be used eight times between “refreshes” us ing the DeriveKey command.
If power is lost dur ing the execution of any com mand referenc i ng a key that has this feature enabled, on e of the use bits in
UseFlag may still be cleared even though the command did not complete. For this reason, Atmel recommends that the ke y be
used a single time only, with the other bit s providing a safety margin for er rors.
Under normal c ircumstances, all eight UseFlag bytes should be initial ized to 0xFF. I f it is the intention t o permit fewer than
eight uses of a particular key, these bytes should be initial ized to 0x7F (seven uses), 0 x3F (six uses), 0 x1F (five uses), 0x0F
(four uses), 0x07 (three uses ), 0x03 (two uses), or 0x01 (one use). Initialization t o any other value besides these v alues or
0xFF is prohib ited.
The Read, Wri te, and DeriveKey commands operate slightly differently:
• Read and Write
These commands ignore the state of the SingleUse bit and the UseFlag byte does not change as a result of their
execution. SingleUse slots in which the UseFlag is exhausted (value of 0x00) can still be read or written (subject to
the appropriate SlotConfig limitations) although the value in the slot cannot ever be used as a key for cryptographic
commands.
If SlotConfig.WriteKey for slot X points back to X, but UseFlag[X] is exhausted, encrypted writes to the slot will
never succeed because the prior GenDig command will have returned an error due to the usage limitation. A similar
situation occurs with reads and ReadKey. Slots used as keys should never have IsSecret set to zero or WriteConfig
set to Always.
• DeriveKey
If the parent key is used for either authentication or as the source, then if SingleUse (for the parent) is set and
UseFlag (also for the parent) is 0x00, the DeriveKey command returns an error. The SingleUse and UseFlag bits are
ignored for the target key. When successfully executed, DeriveKey always resets the UseFlag to 0xFF for the target
key – this is the only mechanism to reset the UseFlag bits.
Use of the DeriveKey command is optional – it is legal to be run only if WriteConfig: 13 is set for this slot. In some
situations, it may be advantageous to simply have a key that can be used eight times, in which case the other crypto
commands will clear the bits in UseFlag one at a time until all are cleared, and at which time the key is disabled.
3.3.5 Limited-use Key
If Slot[15] .SingleUse is set, usage of key number 15 is limited through a diff er ent mechanism than the singl e-use limitation
described above, which app l ies only to slots 0-7.
Prior to any us e of key 15 by a cryptographic c om mand, the f ol lowing takes place:
• If all bytes in LastKeyUse are 0x00, return error
• Starting at bit seven of the first byte of LastKeyUse (byte 68 in config zone), clear to zero the first bit that is currently
a zero. If byte 68 is 0x00, check bit seven of byte 69, and so on up through byte 83. Only a single bit is cleared each
time prior to using key 15
There is no reset mechanism for this limitation – after 128 uses (or the nu m ber of one bits set in LastKeyUse on
personalization), key 15 is permanently disabled. This capabil ity is not susceptible to power interrupt ions – even if the po wer is
interrupted during execution of the comm and, only a single bit in LastKeyUse will be unknown; all other bits in LastKeyUse will
be unchanged and the key will remain unchanged.
If fewer than 128 us es are desired for key 15, then some of the bytes within this array should not be initialized to 0xFF. As with
UseFlag, the only legal valu es for bytes within this field (besides 0xFF) are 0x7F, 0x3F , 0x1F, 0x0F, 0x 07, 0x03, 0x01, or
0x00. The total num ber of bits set to one indicates the number of uses. One example of how to set 16 u ses is as follows: 0xFF,
0xFF, 0x00, 0x 00, 0x00, 0x00, 0x00, 0x00, 0x0 0, 0x00, 0x0 0, 0x00, 0x00, 0x00, 0x00, 0x 00.
The SingleUs e bit is ignored by the Read and Wri te commands, and last KeyUse does not change as a result of their
execution. The SingleUse b i t is ignored by the copy function of the CheckMac command. The SingleUse bit is honored for the
parent key in t he DeriveKey command, but is ignored for the target key.
Atmel ATSHA204 [DATASHEET] 15
8740C−CRYPTO−7/11
3.3.6 Password Checking
Many applications require a user to enter a password to enable featur es , decrypt stored data, or s ome other purpos e.
Typically, t he expected password has to be stored somewhere in memory and is, therefore, subject to discovery. The
ATSHA204 can s ec urely store t he expected password and perfor m a number of useful operations on it. The password is never
passed in the c l ear to the chip, nor can it be read from the chip. It i s hashed with a random number in the system software
before being passed to the chip.
The copy capa bi li ty of the Check M ac command enables the following types of password chec k i ng options:
1. CheckMac does an internal comparison with the expected password and returns a Boolean to the system to indicate
whether the passwor d was correctly entered or not
2. If the chip determines that the correct password has been entered, then the value of the password can optionally be
combined with a stored or ephemeral value to create a key that can be used by the system for data protection
purposes
3. If the chip determines that the correct password has been entered, the chip can use this fact to optionally release a
secondary, high entropy secret, which can be used for data protection without risk of any exhaustive dictionary
attack
4. If the password has been lost, an entity with knowledge of a parent key value can optionally write a new password
into the slot. Also optionally, the current value can be encrypted with a parent key and read from the chip
Passwords should be stored in even-numbered s lots. If the password is to be mapped to a secondary value (use #3 above),
then the target slot containing this value is located in t he next higher slot number (the password sl ot number plus one) .
Otherwise, t he target slot is the same as the password slot.
ReadKey for the target slot m ust be set to zero to enable this c apability. In order to prevent fraudulent or unintended usage of
this capabil ity, do not set ReadKey for any slot to zero unless this Chec kMac/cop y capabili ty is specifically required. In
particular, do not assume that other bits in t he configurat ion word for a particular sl ot override the enablement of this capability
specified by ReadKey = 0.
This capabil ity is enabled only if the m ode parameter to CheckMac has a value of 0x01, indicating that
a. The firs t 32 bytes of the SHA-256 m essage are st ored in a data slot in the EEPRO M (the password)
b. The second 32 bytes of the SHA-256 message m us t be a randomly generated nonc e in the TempK ey register
If the above co nditions are met and the input response matches the internally generated di gest, then the contents of the t ar get
key are copie d to TempKey. The other TempKey register bits are set as follows:
• SourceFlag is set to one (not random)
• GenData is set to zero (not generate by the GenData command)
• CheckFlag is set to zero (TempKey is not restricted to the CheckMac command)
• Valid is set to one
3.3.7 Transport Keys
The ATSHA204 chip includes an internal hardware array of keys (transpor t keys) that ar e intended for secure personalization
prior to locking of the data section. The v al ues of the hardware keys are kept s ecret, and are made available to qualifie d
customers upon request to Atmel. These keys can be used with the GenDig command only, and are indicated by a Key ID
value ≥ 0x8000.
This is the intended persona lization command flo w:
1. Write intended values to the configuration zone, and then lock the conf iguration zone.
2. Write non-secret slots and OTP zone, data should be passed to the chip in the clear.
3. Generate a random personalization key in any one of the secret slots with the following sequence:
a. Nonce command to generate a random nonc e in TempKey
b. Gendig specifying a trans port key ≥ 0x8000
c. Gendig using the compli ance (defau lt) value stor ed in the slot to be used for personalization
d. Encrypted write to that same slot (overwrites the com pl iance value)
Atmel ATSHA204 [DATASHEET] 16
8740C−CRYPTO−7/11
4. Use that personalization key to write all the secret slots, ending with the final value of the personalization key slot
itself, using the following sequence repeated as necessary:
a. Nonce command to generate a random nonc e in TempKey
b. Gendig specifying the pers onalization key
c. Encrypted write to t he target slot
5. Lock the data zone
For GenDig an d al l other comm ands , KeyID values less than 0x8000 always ref erence ke ys that are st ored in the data z one of
the EEPROM. In these cases, only the four leas t-signific ant bits of KeyID are used to det ermine the sl ot number, while the
entire 16-bit KeyID as input is used in any SHA-256 messag e c al c ulation.
3.4 Security Features
3.4.1 Physical Security
The ATSHA204 i nc orporates a num ber of physic al s ecurity features designed to protect t he EEPROM contents from
unauthorized exposure. The security measures incl ude:
• An active shield over the part
• Internal memory encryption
• Secure test modes
• Glitch protection
• Voltage tamper detection
Pre-programmed t r ansport keys stored on the A TSHA204 are enc rypted in suc h a way as to make retrieval of thei r values
using outside analysis very difficult.
Both the logic clock and logi c supply voltage are internally generated, preventing any direct attack on these two signals using
the pins of the c hi p.
3.4.2 Random Number Generator
The ATSHA204 i nc ludes a high-quality rand om number generat or that retur ns 32 random bytes to the s ystem. The chip
combines this generated number with a separate input number to form a nonce that is stored within the chip in TempK ey a nd
may be used by subsequent com m ands.
The system may use this random number generator for any purpose. One common purpose would be as the input challenge
to the MAC command on a separate CryptoAuthenti cation chip. The chip provides a special Random comman d for such
purposes, which does do not affect the inter nally stored nonce.
To simplify system testing, prior to conf ig l ocking the random number generator al wa ys returns the followi ng value:
ff ff 00 00 ff ff 00 00 …
where ff is the first byte read from the chip and the first byte into the SHA message.
To prevent replay attacks on encrypted data that is passe d to or from the ATSHA204, the chi p r equires that a new, internal ly
generated non ce be included as part of the encryption sequence used to p r otect the data being written or read. To i m pl em ent
this requirement, the data protection ke y g enerated by Ge nDig and used b y t he Read or Write command must us e the internal
random number generator during the creat i on of the Nonce.
Random numb er s are generated from a combin ation of the output of a hard ware r andom number generator and an int ernal
seed value, which is not externally acces s ible. The internal seed is s tored in the E E PROM, and is normally updated once after
every power-up or s leep/wake cycle. After the up date, this seed v alue is retained in registers within the c hi p that are
invalidated if the chip ent ers sleep mode or the power is r emoved.
Because there is an EEPROM endurance specification that limit s the number of times the EEP ROM seed can be updated, the
host system sh ould manage power cycles to mini m i ze the number of required up dates. In certain circums tances, the system
may choose to s uppress the EE PROM seed update using the mod e parameter to the Nonce and Random commands.
Atmel ATSHA204 [DATASHEET] 17
8740C−CRYPTO−7/11
Because this m ay affect the sec urity of the system, it should be used with c aution. See Section 8.9 and Section 8.11 for more
information about how the EEPROM seed update is controlled.
4. General I/O Information
Communications with the ATSHA204 are achieved through one of two different protocols, and selected using the part number
that is ordered:
• Single-wire Interface
Uses a single GPIO connection on the system microprocessor connected to SDA on the chip. It permits the fewest
number of connector pins to any removable/replaceable entity. The bit rate is up to 26Kbits/sec
• I2C Interface
This mode is compatible with the Atmel AT24C16B serial EEPROM interface. Two pins, serial data (SDA), and serial
clock (SCL) are required. The I2C interface supports a bit rate of up to 1Mbit/sec.
The lowest levels of the I/ O protocols are de s cribed below in Sections 5 and 6. Above the I/O protocol lev el , however, ex actly
the same bytes are transferre d to and from the chip to implement the cryptographic commands and error codes documented i n
Section 8.
Note: The chip imple m ents a failsafe i nternal watc hdog timer that forces it into a very low power mode after a certain
time interva l, regardless of any current activity. System programmi ng must take this into consideration. S ee
Section 8.1.6 for more deta il s.
4.1 Byte and Bit Ordering
CryptoAuthentication us es a common ordering scheme for bytes and also for the way in which numbers and arrays are
represente d in this datash eet:
• All multi-byte aggregate elements are treated as arrays of bytes and are processed in the order received or
transmitted with index #0 first
• 16-bit (2-byte) integers, typically Param2 appear on the bus least-significant byte first
In this document, the most-significant bit or nibble of a byte or 16-bit word appears towards the left hand side of the page.
The bit order is different depe nding on the I/ O channel used:
• On the one-wire interface, data is transferred to/from the Atmel ATSHA204 least-significant bit first on the bus
• On the I2C interface, data is transferred to/from the Atmel ATSHA204 most-significant bit first on the bus
4.1.1 Output Example
The following bytes will b e r eturned in this order on the bus by a 32-byte read of the configuration secti on with an input
address of 0x0000:
SN[0], SN[1], SN[2], SN[3], RevNum[0], RevNum[1], RevNum[2], RevNum[3], SN[4], SN[5], SN[6], SN[7], SN[8], reserved,
I2C Enable, reserved, I2C_Address, T em pOffset, OT Pmode, SelectorMode, SlotConfig[0].Read, SlotConfig[0].Write,
SlotConfig[ 1].Read, Slot Config[1] .Write, SlotConfig[2].Read, SlotConfig[2].Write, Slot C onfig[3].Read, SlotConfig[3].Write,
SlotConfig[ 4].Read, Slot Config[4] .Write, SlotConfig[5].Read, SlotConfig[5].Write
4.1.2 MAC Message Exampl e
The following bytes will b e passed to the SHA engine for a MAC command using a mode value of 0x 71 and a KeyID of slot x.
In the example below, K[x] indicates the KeyID of s l ot x in the data zone, with K[0] being the first byte on the bus for a read
from or write to that slot. OTP[0] indicates t he first byte on t he bus for a read of the OTP zone at address zero, and s o on.
K[0], K[1], K[2], K[3] … K [31], TempKey[0], TempKey[1], TempKey[2], TempKey[3] … TempKey[31], Opcode (=0x08),
Mode (=0x71), Param2(LSB = x), Param2(MSB = 0), OTP[0], OTP[1], OTP[2], OTP[3], OTP[4], OTP[5], OTP[6],
OTP[7], OTP[8], OTP[9], OTP[10], SN[8], SN[4], SN[5], SN[6], SN[7], SN[0], SN[1], SN[2], SN[3].
For more details regarding MAC messages, see Section 8.8, “MAC Command.”
Atmel ATSHA204 [DATASHEET] 18
8740C−CRYPTO−7/11
4.2 Sharing the Interface
Multiple Cr ypt oAuthentication devices m ay share the same interface, as follows:
a. System issu es a Wake token (see Section 5.1) to wake up all chips
b. The system issues the Pause command to put all but one of the devices into idle mode. Only the remaini ng c hip then
sees any commands the system sends. When the system has completed talking to the one acti v e device, it sends an
idle flag, which the idle chips ignore but which puts the single remaining activ e c hi p into the idle mode. See Sect i on
8.10, “Pause Com m and,” for more details.
Steps a and b are repeated for each chip on the wire. If the system has completed communic ations with the final chip, it
should wake all the chips up and then put all t he chips to sle ep to reduce total power consumption.
The chip uses the selector byt e within the co nfiguration z one to determin e which chip st ays awake – only that chip with a
selector value that matches the input parameter of the Pause command stays awake. In order to fac i litate lat e c onfiguration of
systems that use the multi-chip sharing mode, the following three update capabilities for the selector byt e ar e supported:
1. Unlimited Updates
At any time, the UpdateExtra command can be executed to write the value in the selector field of the configuration
zone. To enable this mode, set the SelectorMode byte in the configuration zone to zero.
2. One-time Field Update
If the SelectorMode byte is set to a non-zero value and the selector byte is set to a zero value prior to locking the
configuration zone, then at any time after the configuration zone is locked the UpdateExtra command can be used
one time to set Selector to a non-zero value. The UpdateExtra command is not affected by the LockValue byte.
3. Fixed Selector Value
The selector byte can never be modified after the configuration zone is locked if both SelectorMode and Selector are
set to non-zero values. The UpdateExtra command will always return an error code.
5. Single-wire Interface
In this mode, com m uni cations to and from the ATSHA204 take pl ac e over SDA, a single, as ynchronously tim ed wire, and the
SCL pin is ignored.
Note: The sleep current specification values ar e guaranteed only if the SCL pin is held lo w or left unconnected.
The overall communications structure is a hierarchy:
Tokens I/O tokens implement a single data bit transmitted on the bus, or the wake-up event.
Flags Flags consist of eight tokens ( bits) that convey the direction and meaning of the next group of bits (if any)
that may be trans m i tted.
Blocks Blocks of data follow the command and transmit flags. They incorporate both a byte cou nt and a checks um
to ensure prop er data transmission.
Packets Packets of b yt es form the core of the block (minus the byte count and CRC). They are either the input or
output parameters of a Crypt oAuthentic ation command or status information from the Atmel ATSHA204.
See the Atmel we bs i te for the appropriate application notes for more details on how to use any microprocessor to easi ly
generate the signaling necessary to send these element s to the chip, incl uding C sourc e code libraries. Also, see Section 10.2,
“Wiring Configuration for S i ngle-wire Interface,” for more information about how to connect the chip in t he single-wire interface
mode.
Atmel ATSHA204 [DATASHEET] 19
8740C−CRYPTO−7/11
5.1 I/O Tokens
There are a num ber of I/O tokens that may be transmitted over the single-wire interface:
Input: (to the Atmel AT S H A 204)
Wake Wake the chip up from either sleep or idle stat es
Zero Send a sing le bit from the system to the c hip with a value of zero
One Send a single bi t from the system to the chip with a value of one
Output: (from the Atmel ATSHA204)
ZeroOut Send a single bit from the chip to the system with a value of zero
OneOut Send a single bit from the chip to the system with a value of one
The waveform s are the same in either direction. There are some dif ferences in timing, however, based on the expectation t hat
the host has a very accurate and consistent clock, while t he ATSHA204 has signific ant part-to-part v ariability in its internal
clock generator, due to norm al manufacturing and environmental fluctuations.
The bit timi ngs are designed to permit a stan dar d U ART running at 230.4K baud to transmit and receive the t ok ens effici ently.
Each byte tran smitted or received by the UART corresponds to a single bit received or trans mitted by the chip.
The Wake tok en i s special in that it requires an extra long low pulse on the SDA pin, which cannot be confused with the
shorter lo w pulses that occur dur ing a data token ( Zero, One, ZeroOut, OneOut). Chips that are in either the idle or sleep state
ignore all data tokens until they receive a legal Wake token. Do not send a Wake token to chips that are awake, as they will
lose synchronization because the waveform can be resolved to neit her a legal one nor zero. See Section 5.3.2 for the
procedure to regain synchro nization.
5.2 I/O Flags
The system is always the bus master, so befor e any I/O transac tion, the system must send an 8-bit flag to the chip t o indicate
the I/O operat ion to be subseque ntly perform ed, as shown in Table 5-1.
Table 5-1. I/O flags
Value Name Meaning
0x77 Command After this flag, the system starts sendi ng a c ommand block t o the chip
The first bit of the block can fo ll ow immediately after the last bit of the flag
0x88 Transmit This command tells the chip to wait for a bus turnaround time and then start transmitting its
response to the previously transmitted command bloc k
0xBB Idle Upon rec eipt of an idle f l ag, the chip goes into the idle mode and remains there until the ne xt wake
token is received
0xCC Sleep Upon receipt of a sleep flag, the chip enters t he low-power sl eep mode until the next Wake token is
received
All other values are reserved and s hould not be us ed
5.2.1.1 Transmit Flag
The transmit flag is used to tur n the bus around so that the ATSHA204 can send dat a back to the system. The bytes t hat the
chip returns to the system depend on the curr ent state of the c hi p, and may include either st atus, error cod e, or command
results.
When the chip i s busy executi ng a command, it ignores the SDA pi n and any flags sent by the system. See Table 8-4 for
execution delays in the chip for each command type. The system must observ e these dela ys after sending a command to the
chip.
Atmel ATSHA204 [DATASHEET] 20
8740C−CRYPTO−7/11
5.2.1.2 Idle Flag
The idle flag is used to transition the ATS HA204 to the idle state, which causes the input/output buffer to be flushed. It does
not invalidate the contents of the TempKey and random nu m ber generato r (RNG) seed regist ers. This flag can be sent to the
chip at any tim e when it will acc ept a flag. When the chip is in the idle state, the watchdog tim er i s di s abled.
5.2.1.3 Sleep Flag
The sleep flag transitions the ATSHA204 t o the low-power sleep state, whi ch causes a complete reset of the chip, including
invalidation of the conte nts of the SRAM and all volatile registers. This flag can be se nt to the chip at a ny time when it will
accept a flag.
5.3 Synchronization
Because the communications protocol is half-dup lex, there is t he possibility that the system and the AT SHA204 will fall out of
synchronizat ion with each other. In or der to speed recovery, the chip implements a t i m eout that for c es it to sleep under cert ain
circumstances.
5.3.1 I/O Timeout
After a leading transition for any data token has been received, the ATSHA204 will expe ct the remaining bits of the token to be
properly received by the ch i p within the tTIMEOUT interval. Failure to send enou gh bits or the transmissio n of an illegal tok en
(a low pulse exceeding tZLO) will cause the ch ip to enter the sleep state after the tTIMEOUT interval.
The same timeout applies during the transmission of the co m mand block. After the transmis sion of a legal com mand flag, the
I/O timeout cir cuitry is enabled until t he l as t expected d ata bit is receiv ed.
Note: The timeout c ounter is reset after every lega l token, and so the total time to transmit the com mand may exceed
the tTIMEOUT interval while the t ime between bits may not
The I/O timeou t circuitr y is disabled when the chip is busy exec uting a command.
5.3.2 Synchronization Procedures
If the chip is not busy when the system sends a transmit flag, the chip should respond withi n tTURNAROUND. If tEXEC time has not
already passed, the chip ma y be busy, and the system should poll or wait until the maximum tEXEC time has elapsed. If the
chip still does not respond to a second transmit flag wit hin tTURNAROUND, it may be out of synchronizati on. At this point, the
system may ta ke the followin g steps to reestablish communication:
1. Wait tTIMEOUT
2. Send the transmit flag
3. If the chip responds within tTURNAROUND, then the system may proceed with more commands
4. Send a Wake token
5. Wait tWHI
6. Send the transmit flag
7. The chip should respond with a 0x11 status within tTURNAROUND, at which time system may proceed with commands
Any command results in the I/O buffer ma y be lost when the system and chip lose synchronization.
Atmel ATSHA204 [DATASHEET] 21
8740C−CRYPTO−7/11
6. I2C Interface
The I2C interface uses the SDA and SCL pins to indicate various I/O states to the ATSHA204. This interf ac e i s designed to be
compatible at the protocol level with the AT24C16B serial EEPROM operating at 1MHz.
The SDA pin is normally pulle d high with an external pull-up resistor, as the ATSHA204 includes only an open-drain driver on
its output pin. The bus mast er may be either open–drain or t otem pole, and if the latter, then it should be tri-stated when the
ATSHA204 is dr i v i ng results on the bus. T he SCL pin is an input, and must be driven both high and low at all tim es by an
external device
6.1 I/O Conditions
The chip respo nds to the following I/O conditions:
6.1.1 Chip is Asleep
When the chip i s asleep, it ignores all but the WAKE condition
Wake: If SDA is held low for a period gr eater than tWLO, the chip exits low-power mode and, after a delay of tWH I, is
ready to receive I2C commands. The chip ignores a ny levels or transitions on the SCL pin when the chip is
idle or asleep and during tWLO. At some point during tWHI, the SC L pin i s enabled an d the conditions listed in
Section 6.1.2, “Chip is Awake,” are honored.
The wake condi tion requires either that t he system processor manually drive the SDA pin low for tWLO, or that a dat a byte of
0x00 is transm itted at a clock rate sufficient ly slow that S DA is low for a minimum period of tWLO. When the chip is awake, the
normal processor I2C hardware and/or software can be used f or chip communic ations up to and inc luding the I/O sequence
required toput the chip back into lo w po wer ( sleep) mode.
When there are mul tiple ATSHA204 chips on t he bus and the I2C interface is run at 133KHz or slower, the transmission of
certain data patterns (such as 0x00) will cause all the ATSHA204 chips on the bus to wake up. Because subsequent device
addresses transmitted alo ng the bus will only match the desired chips, the unused devices will rema in idle and not c ause any
bus conflict s .
In I2C mode, the chip will ignore a wake sequence se nt when the chip is already awake.
6.1.2 Chip is Awake
When the chip i s awake, it honors the conditions l isted belo w.
Data Zero: If SDA is lo w and stable while S CL goes from low to high to low, then a zero bit is being transferred on the
bus. SDA can c hange while SCL is low.
Data One: If SDA is high and stable while S CL goes from low to high to low, then a one bit is being transferred on the
bus. SDA can c hange while SCL is low.
Figure 6-1. Data Bit Transfer on I2C Interface
SDA
SCL Data line stable;
Data valid Change of
data allowed
Atmel ATSHA204 [DATASHEET] 22
8740C−CRYPTO−7/11
Start: A high-to-low transition of SDA with SCL high is a start condi tion, which must precede all commands.
Stop: A low-to-high transition of SDA with SCL high is a stop condition. After t his condition is received by the chip,
the current I/ O transaction en ds. On input, if the chip has sufficient bytes to execute a comm and, the chip
transitions to the busy state and begins execution. T he stop condition should always be sent after any
packet sent to t he chip.
Figure 6-2. Start and Stop Conditions on I2C Interface
SDA
SCL
Start
Condition Stop
Condition
S P
Acknowledge (ACK): On the ninth clock cyc l e after every addr es s or data byte is transferred, the receiver will pull the
SDA pin low to acknowledge proper reception of the b yt e.
Not Acknowledge (NACK): Alternatively, o n the ninth cloc k cycle after ev ery address or data byte is trans ferred, the
receiver can leave the SDA pin high to indicate that ther e was a problem with the receptio n of the byte or
that this byte completes the block transfer .
Figure 6-3. NACK and ACK Conditions on I2C Interface
Data Output
by Transmitter
Data Output
by Receiver
Clock Pulse for
Acknowledgement
Start
Condition
S
SCL from
Master
Not Acknowledge
Acknowledge
1 2 8 9
Multiple ATSHA204 chips can easily share the same I2C int erface if the I2C_Device addr es s byte is programmed differently for
each device on the bus. Because six of the bits of the devic e address are programmable, the ATSHA204 can also s hare the
I2C interface with any standard I2C chip, including any serial EEPROM. Bit 3 (als o known as TTL Enable) must be
programmed ac cording the input thresholds desired, and so is fixed in a particular application.
Atmel ATSHA204 [DATASHEET] 23
8740C−CRYPTO−7/11
6.2 I2C Transmission to the Atmel ATSHA204 Device
The transmission of data from the system to t he AT88SA102S i s summarized in Figure 6-4. The order of tr ansmission is :
• Start condition
• Device address byte
• Word address byte
• Optional data bytes (1 through N)
• Stop condition
Figure 6-4. Normal I2C Transmission t o an At m e l ATSHA204
SDA
SCL
1-7 8 9 1-7 8 9 1-7 8 9 1-7 8 9 1-7 8 9
SP
Start
Condition
Device
Address Word
Address Data 2ACK
1
ACK
1
ACK
1
ACK
1
ACK
1
Stop
Condition
Data NData 1R/W
Note: SDA is driven low by the Atmel A TSHA204 during the ACK periods
The tables bel ow label the bytes of the I/ O transaction. The I2C name column provides the names of the bytes as des c ribed in
the AT24C16B datasheet.
Table 6-1. I2C Transmission to Atmel ATSHA204
Atmel ATSHA204 I2C Name Description
Device address Device address T hi s byt e selects a part icular chip on the I2C interface. The Atmel ATSHA204 is
selected if bits 1-7 of this byte match bits 1-7 of the I2C_Address byte in the
configuration zone. Bit 0 of this byte is the standard I2C R/W bit, and should be
zero to indicat e a write operat ion (the bytes f ol lowing the device address travel
from the master to the slave).
Word address Word address This byte s hould have a value of 0x03 for nor mal operation.
See Sections 6.2.2 and 6.6, below, for more information.
Command Data1-n The command block , consisting of the count, c om mand packet, and the two-byte
CRC. The CRC is calculated over the size and packet bytes. S ee Section 8.1.
Because the chip treats the command input buffer as a FIFO, the input bloc k can be sent to the c hi p in one or many I2C
command blocks. The firs t byte sent to the chip is the count , and so after the chip receive s that number of bytes, it will ignore
any subsequently received bytes until execution is finished.
The system must send a stop conditi on after the last command byte to ensure that the ATSHA204 will start the computat i on of
the command. Failure to send a stop condit i on may eventually result in a loss of synchronization (See Section 6.7 for recovery
procedures).
Atmel ATSHA204 [DATASHEET] 24
8740C−CRYPTO−7/11
6.2.1 Word Address Values
During an I2C write pac ket, the ATSHA204 interprets the second byte sent as the word address, which indic ates the packet
function, as d escribed in the following table.
Table 6-2. Word Address Values
Name
Value
Description
Reset 0x00 R es et the address counter. The ne xt read or write tr ansaction will start wit h the
beginning of the I/O buffer
Sleep
(l ow power) 0x01 The At m el ATSHA204 goes into the low-power sleep mode and ignores all s ubsequent
I/O transitions until the next Wake flag. The entir e volatile state of the chip i s reset.
Idle 0x02 The Atmel ATSHA204 goes into the idle state and ignores all s ubs equent I/O transitions
until the next Wake flag. The contents of TempKey and RNG seed regis ters are retained
Command 0x03 Write subsequent bytes to sequential addresses i n the input com m and buffer that follow
previous writes. This is the normal op er ation
Reserved 0x04 – 0xFF These addres ses should n ot be sent to the chip
6.2.2 Command Completion Polling
After a complete command ha s been sent to the ATSHA204, the chip will be busy until the c ommand computati on completes.
The system has two options for this dela y:
• Polling
The system should wait tEXEC (typical) and then send a read sequence (See Section 6.5). If the chip NACKs the
device address, then it is still busy. The system may delay for some time or immediately send another read
sequence, again looping on NACK. After a total delay of tEXEC (max), the chip will have completed the computation
and return the results.
• Single Delay
The system should wait tEXEC (max), after which the chip will have completed execution and the result can be read
from the chip using a normal read sequence.
6.3 Sleep Sequence
Upon completion of system u s e of the ATSHA204, the system shou l d issue a sleep sequence to put the chip into low-power
mode. This seque nce consist s of the proper devi ce address followed by the value of 0x01 as the word address f ollowed b y a
stop conditi on. This t ransition to the low-power state causes a complet e r eset of the chip i nternal comm and engine and
input/output buffer. It c an be sent to the chip at any time when it is awake and not busy.
6.4 Idle Sequence
If the total s equence of required commands exceeds tWATCHDOG, then t he chip will autom atically go to sleep and los e any
information s tored in the vol atile registers. This action can be prev ented by putting the chip into the idle state prior to
completion of the watchdog interval. W hen the chip recei v es the wake tok en, it will then r estart the watchdog timer, an d
execution ca n be continued.
The idle sequence consists of the proper device address followed by the value of 0x02 as the word address follo wed b y a stop
condition. It can be sent to the chip at any time when it is awake and not busy.
If TempKe y was c r eated as a result of the copy mode of the CheckMac command, it will not be retai ned when the par t goes
into an idle state.
Atmel ATSHA204 [DATASHEET] 25
8740C−CRYPTO−7/11
6.5 I2C Transmission from the Atmel ATSHA204 Device
When the ATSHA204 is awake and not busy, the bus m aster can retrieve the current buffer contents from the chi p us ing an
I2C read. If valid com mand results are available, the size of the block returned i s determined by the partic ul ar command that
has been run (S ee S ection 8. “Commands”), otherwise the size of the block ( and the first byte ret urned) will always be four:
count, status /error, and 2-byte CRC. T he bus timing is shown in Figure 7-3 in Section 7.3.2.
Table 6-3. I2C transmission from Atme l ATSHA204
Atmel ATSHA204 I2C Name Direction Description
Device Address Device Address To slave T his byte selects a par ticular chip on the I2C interface, and the Atmel
ATSHA204 will be selected if bi ts 1-7 of this byt e m atch bits 1-7 of the
I2C_Address byte in the configuration zo ne. Bit 0 of this byte is the
standard I2C R/W pin, and should be one to indicate that the bytes
following t he device address travel from the slave to the m aster (read)
Data Data1,N To master The output block, consi s ting of the count and status /error byte or the
output packet followed by t he two-byte CRC per Section 8.1
The status , error, or comman d outputs can be read repeatedly by the master. Each time a read command is sent to the
ATSHA204 along the I2C interf ac e, the chip transmits the next s equential byte in the output buffer. See the following section
for details on how the chip handles the address counter.
If the ATSHA204 is busy, idle, or asleep, it will NACK the device address on a read sequence. If a part ial command has been
sent to the chip , then it will NA CK the device address, but float the bus during the data interv al s .
6.6 Address Counter
Writes to and/ or reads from t he A TSHA204 I/O buffer over the I2C inter face are treat ed as if the c hip were a FIFO. Either the
I2C byte or block write/read protocols can be us ed. The number of bytes transferred with e ac h block sequ ence does not affect
the operatio n of the chip.
The first b yte transmitted to the chip is treated as the size byte. Any attempt to send more than this number of bytes or any
attempts to write beyond the e nd of the I/O buf fer (84 bytes) will cause the ATSHA204 t o NACK those bytes.
After the host writes a single command byte to the input buffer, reads fr om the host are prohibited until after the chip
completes command execution. Attempts to read from the chip prior to the last com m and byte being sent will result in an ACK
of the device address but all ones (0xFF) on t he bus. If the master attempts to send a read byte t o the chip during c ommand
execution, t he chip will NACK the device address.
Data may be read from the chip under the following three conditions:
• On power up, the single byte, 0x11 (See Section 8.1.3), can be read inside a four byte block
• If a complete block has been received by the chip, but there are any errors in parsing or executing the command, a
single byte of error code is available, also inside a four byte block
• Upon completion of command execution, from 1-32 bytes of command result are available to be read inside a block
of 4-35 bytes
Any attempt to read beyond the end of the valid output buffer returns 0xFF to the system – the address c ounter does no t wrap
around to the beginning of the buffer.
There may be situations where the system may wish to re-read the output buffer; for example, when the CRC check reveals
an error. In this case, the master should send a two-byte sequence to the AT SHA204 consisti ng of the correct device addres s
and a word addr es s of 0x00 (Reset, per Table 6-2), followed by a stop condition. This c auses the addres s counter to be res et
to zero, and permits the data to be re-written (re-read) to (from) the chip. This addr ess reset sequence does not prohibit
subsequent r ead operations if data was av ailable for reading in the I/O buffer prior to the sequenc e execution.
After one or more r ead operations to retrieve the results of a c ommand executio n, the first write operation res ets the address
counter to the beginning of t he I/O buffer.
Atmel ATSHA204 [DATASHEET] 26
8740C−CRYPTO−7/11
6.7 I2C Synchronization
It is possible for the system t o lose synchronization with the I/O port on the ATSHA204, perhaps due a system reset, I/O noise,
or other condition. Under this circumstance, the AT S H A 204 may not respo nd as expected, may be asleep, or m ay be
transmitting data during an interval when the system is expecting to send data. Any command result s i n the I/O buffer may be
lost when the system and chi p lose synchronization.
To re-synchro nize, the following procedure should be followed:
1. To ensure an I/O channel reset, the system should send the standard I2C software reset sequence, as follows:
• A start condition
• Nine cycles of SCL with SDA held high
• Another start condition
• A stop condition
It should then be possible to send a read sequence, and, if synchronization has completed properly, the ATSHA204
will ACK the device address. The chip may return data or may leave the bus floating (which the system will interpret
as a data value of 0xFF) during the data periods.
If the chip does ACK the device address, the system should reset the internal address counter to force the
ATSHA204 to ignore any partial input command that may have been sent. This can be accomplished by sending a
write sequence to word address 0x00 (Reset), followed by a stop condition.
2. If the chip does not respond to the device address with an ACK, then it may be asleep. In this case, the system
should send a complete wake token and wait tWHI after the rising edge. The system may then send another read
sequence, and, if synchronization has completed, the chip will ACK the device address.
3. If the chip still does not respond to the device address with an ACK, then it may be busy executing a command. The
system should wait the longest tEXEC (max) and then send the read sequence, which will be acknowledged by the
chip.
7. Electri cal Characteristics
7.1 Absolute Maximum Ratings*
Operating tem perature ................................. −40°C to +85°C
Storage temperature ................................. −65°C to + 150°C
Maximum operating voltag e .......................................... 6.0V
DC output curr ent ...................................................... 5.0mA
Voltage on any pin ............................... -0.5V to ( VCC + 0.5V)
*Notice: Stresses beyo nd those listed under “Absolute
Maximum Ratings” may cause permanent
damage to the device. T his is a stress rating
only, and funct ional operat ion of the devic e at
these or any other condition b eyond those
indicated in the operational sections of this
specificat ion i s not implied. Exposure t o
absolute maximum rating conditions for
extended periods may affect device relia bility.
7.2 Reliability
The ATSHA204 i s fabricated wit h the high reliab i li ty of the At mel CMOS EEPRO M manufacturing technology.
Table 7-1. EEPROM reliability
Parameter
Min
Typical
Max
Units
Write Endurance (each byte at 25°C) 100,000
Write cycles
Data Retention (at 55°C) 10 Years
Data Retention (at 35°C) 30 50
Years
Read Endurance Unlimited Read cycles
Atmel ATSHA204 [DATASHEET] 27
8740C−CRYPTO−7/11
7.3 AC Parameters – All I/O Interfaces
Figure 7-1. AC Timing Diagram – All I/O Interfaces
Wake
Noise
Suppression
Data Comm
t
WLO
t
WHI
t
LIGNORE
t
HIGNORE
Table 7-2. AC Parameters – All I/O Interfaces
Parameter Symbol Direction Min Typ Max Unit Notes
Wake low
duration tWLO To Crypto
Authentication 60 - µs SDA can be stable in either hi gh or l ow
levels during extended sle ep intervals
Wake high
delay to
data comm.
tWHI To Crypto
Authentication 2.5
ms SDA should be stable high for this entire
duration
High side
glitch filter
@ active
tHIGNORE_A To Cr ypto
Authentication 45(1)
ns Pulses shorter than this in width will be
ignored by the c hi p, regardless of its st ate
when active
Low side
glitch filter
@ active
tLIGNORE_A To Crypto
Authentication 45(1)
ns Pulses shorter than this in width will be
ignored by the c hi p, regardless of its st ate
when active
High side
glitch filter
@ sleep
tHIGNORE_S To Cr ypto
Authentication 15(1) µs Pulses shorter than this in width will be
ignored by the c hi p when in sleep mode
Low side
glitch filter
@ sleep
tLIGNORE_S To Crypto
Authentication 15
(1)
µs Pulses short er than this in wid th will be
ignored by the c hi p when in sleep mode
Watchdog
reset tWATCHDOG To Crypto
Authentication 0.7 1.3 1.7 s Max. t i m e from wake until chip is for c ed
into sleep mode (See Section 8.1.6)
Note: 1. These parameter s are guaranteed through ch aracterizati on, but not tested
Atmel ATSHA204 [DATASHEET] 28
8740C−CRYPTO−7/11
7.3.1 AC Parameters – Single-wire Interface
Figure 7-2. AC Timing Diagram – Single-wire Interface
Table 7-3. AC Parameters – Single-wire Interface
Applicable from TA = −40°C to +85°C, VCC = +2.0V to +5.5V, CL =100pF (unless otherwise noted)
Parameter
Symbol
Direction
Min
Typ
Max
Unit
Notes
Start Pulse
Duration tSTART To Crypto
Authentication 4.1 4.34 4.56 µs
From Crypto
Authentication 4.6 6.0 8.6 µs
Zero
Transmission
High Pulse
tZHI To Crypto
Authentication 4.1 4.34 4.56 µs
From Crypto
Authentication 4.6 6.0 8.6 µs
Zero
Transmission
Low Pulse
tZLO To Crypto
Authentication 4.1 4.34 4.56 µs
From Crypto
Authentication 4.6 6.0 8.6 µs
Bit Time(1) tBIT To Crypto
Authentication 37 39 - µs If the bit time exceeds tTIMEOUT, then the
Atmel ATSHA204 may enter the sleep state.
See Section 5.3.1 for specific detail s .
From Crypto
Authentication 41 54 78 µs
Turnaround
Delay tTURNAROUND Fr om C rypto
Authentication 28 60 95 µs The Atmel ATSHA204 will initiate the f i r st
low-going transition after thi s time interval
following t he end of the last bit (tBIT) of the
Transmit flag
To Crypto
Authentication 15
µs After the At mel ATSHA204 transmits the last
bit of a block, t he system must wait this
interval befor e sending the first bit of a flag
I/O Timeout tTIMEOUT To Crypto
Authentication 45 65 85 ms The Atmel ATSHA204 may transition t o the
sleep state if the bus is inact ive longer than
this duration. See Sectio n 5.3.1 for specific
details.
Note: 1. tSTART, tZLO, tZHI, and tBIT are designed t o be c ompatible with a standard UA RT running at 230.4K baud for both
transmit and receive. The UA RT should be set to seven data bits, no parit y, and one stop bit
t
START
t
ZHI
t
ZLO
LOGIC
Ø
t
START
t
BIT
LOGIC 1
Atmel ATSHA204 [DATASHEET] 29
8740C−CRYPTO−7/11
7.3.2 AC Parameters – I2C Interface
Figure 7-3. I2C Synchronous Data Timing
SCL
SDA IN
SDA OUT
t
F
t
HIGH
t
LOW
t
LOW
t
R
t
AA
t
DH
t
BUF
t
SU.STO
t
SU.DAT
t
HD.DAT
t
HD.STA
t
SU.STA
Table 7-4. AC Characteristics of I2C Interface
Applicable over recommended operating range from TA = −40°C to + 85°C, VCC = +2.0V to +5.5V, CL = 1 TT L gate and 100pF
(unless otherwise noted)
Symbol
Parameter
Min
Max
Units
fSCK SCK clock frequency 0 1 MHz
SCK clock duty cycle 30 70 percent
tHIGH SCK high time 400
ns
tLOW SCK low time 400 ns
tSU.STA S tart setup tim e 250
ns
tHD.STA Start hold tim e 250 ns
tSU.STO S top setup time 250
ns
tSU.DAT Data in setup time 100 ns
tHD.DAT Data in hol d time 0
ns
tR Input rise time (1)
300 ns
tF Input fall time (1)
100 ns
tAA Clock low to dat a out valid 50 550 ns
tDH Data out hold time 50
ns
tBUF Time bus mus t be free before a new transmission can start. (1) 500
ns
Notes: 1. V al ues are based on c haracterization, but are not tested
2. AC measurement conditions:
RL (connects between SDA and VCC): 2.0kΩ (for VCC +2.0V to +5.0V)
Input pulse voltages: 0.3VCC to 0. 7VCC
Input rise and f al l times: ≤ 50ns
Input and outp ut timing reference voltage: 0.5VCC
Atmel ATSHA204 [DATASHEET] 30
8740C−CRYPTO−7/11
7.4 DC Parameters – All I/O Interfaces
Table 7-5. DC Parameters – All I/O Interfaces
Parameter Symbol Min Typ Max Unit Notes
Ambient Operating
Temperature TA -40
85 °C
Power Supply
Voltage VCC 2.0
5.5 V
Active Power
Supply Current ICC
1
mA 0°C +70°C, VCC = 3.3V
- 3 mA -40°C +85°C, VCC = 5.5V
Idle Power Supply
Current I IDLE
700
µA When chip is in idle mo de, VCC = 3.3V,
VSDA & VSCL < 0.3V or > > VCC-0.3
Sleep Current I SLEEP
30 150 nA When chip is in sleep mode, VCC ≤ 3.6V,
VSDA & VSCL < 0.3V or > VCC-0.3, TA ≤ 55°C
2 µA When chip is in sleep mode
Output Low Voltage VOL
0.4 V When chip is in act ive mode, VCC = 2. 5 – 5.5V
Output Low Current IOL
4 mA When chip is in active mode, VCC = 2.5 – 5.5V, VOL = 0.4V
7.4.1 VIH and VIL Specifications
The input voltage thresholds when in sleep or idle mode are dependent on the VCC level as follows:
Figure 7-4. VIH and VIL When in Sleep or Idle Mode
VIH, VIL when in Sleep or Idle Mode
0.40
0.60
0.80
1.00
1.20
1.40
1.60
2.0 3.0 4.0 5.0 6.0
VCC
Vin
VIH
VIL
Atmel ATSHA204 [DATASHEET] 31
8740C−CRYPTO−7/11
When the chip i s active (not in s leep or idle mode), the input voltage thresholds are different, dependi ng on the state of
TTLenable (bit three) withi n the I2C_Addr es s byte stored in the configuration zone of the EEPROM . When a common voltage
is used for the ATSHA204 VCC pin and the input pull-up resi stor, then this bit should be set to a one, which permits the input
thresholds to track the supply as follows:
Figure 7-5. VIH and VIL (Chip Active, TTLenable = 1) – All I/O Interfaces
VIH, VIL when TTLenable is 1
0.40
0.60
0.80
1.00
1.20
1.40
1.60
1.80
2.00
2.20
2.40
2.60
2.80
3.00
3.20
2.0 3.0 4.0 5.0 6.0
Vcc
Vin
VIH
VIL
If the voltage supplied to the VCC pin of the A TSHA204 is different from the system volt age to which the i nput pull-up resistor is
connected, t hen the system des i gner may chose to set TTLena ble to zero, which enables a fi xe d i nput threshol d ac cording to
the followin g table.
Table 7-6. VIL and VIH (Chip Active, TTLenable = 0) – All I/O Interfaces
Parameter Symbol Min Typ Max Unit Notes
Input Low Voltage VIL GND-
0.5 0.5 V When chip is a c tive and TTLenable bit in
configuratio n mem or y is zero; otherwise, see
above
Input High Voltage VIH 1.5 VCC +
0.5 V When chip is active and TTLenable bit in
configuratio n mem or y is zero; otherwise, see
above
Atmel ATSHA204 [DATASHEET] 32
8740C−CRYPTO−7/11
8. Commands
8.1 I/O Blocks
Regardless of the I/O prot oc ol being used (single-wire or I2C), c om mands are sent to the chip, and r es ponses receiv ed from
the chip, with in a block that is c ons tructed in the following way:
Table 8-1. I/O blocks
Byte # Name Meaning
0 Count Number of bytes to be transferred to (or from) the chip in the block, including count byte, packet
bytes, and checksum bytes . The count b yt e should, therefore, al ways h av e a value of (N+1),
where N is equal t o the number of bytes in the pack et plus the two checksum bytes. Thus, for a
block with one count byte, 50 pack et bytes, and two checksum bytes, the count byte should be
set to 53. The max i m um size block (and value of c ount) is 84 bytes, and the minimum size block
is four bytes. Values outside this range will cause unpredictable operation
1 to (N-2) Packet Command, parameters and data, or response. See below for more details
N-1, N Checksum CRC-16 verification of the count and packet bytes. The CRC polynomial is 0x8005. T he i nitial
register value should be zero. A fter the last bit of the count and the packet have been
transmitted, the internal C RC register should have a v al ue that matches the checksum bytes in
the block. T he first CRC byte transmitted (N-1) is the least-significant byte of the CRC v alue, and
so the last byte of the block is t he most-significant byte of the CRC
The ATSHA204 i s designed in suc h a way that the count value in the input block should be consistent with the size
requirement s specified in the command parameters. If the count value is i nconsistent with the com mand opcode and/ or
parameters within the packet, the AT S H A 204 will respond in different ways, depending on the spec ific command. Either the
response may include an error indication or some input bytes may be silently ignored.
8.1.1 Command Packets
The command packet is broken down as shown in Table 8-2.
Table 8-2. Co mm and packets
Byte # Name Meaning
0 Opcode T he c ommand code – see Section 8.1.4
1 Param1 The first parameter – always pres ent
2-3 Param2 The second paramet er – always present
4+ Data Optional remaining input data
After the AT SHA204 receiv es al l the bytes in a bl oc k, the chi p transitions to the busy state and attempts t o execute the
command. Neither status nor results can be read from the chip when it is busy. During this time, the chip’s I/O interface
ignores all SDA transitions r egardless of the I/O interface selected. The command execution delays are listed i n S ection 8.1.4
If insuffic ient bytes are sent to the chip whe n i t is in one-wire mode, the chip automaticall y transitions to the low-power slee p
state after the tTIMEOUT interval. I n I2C mode, the chip continues to wait f or the remainin g bytes until the watchdog tim er limit,
tWATCHDOG, is reached or a start/stop condition is r ec ei v ed by the chip.
In the individual command description tables below in Sections 8.2 through 8.13, the size col umn describes the number o f
bytes in the parameter documented in each particular row. If the input block size f or a particular command is incor rect, the chi p
does not attem pt to execute the com m and; instead, the chip r eturns an error.
Atmel ATSHA204 [DATASHEET] 33
8740C−CRYPTO−7/11
8.1.2 Status/Error Codes
The chip does not have a dedicated status regis ter, and so the output FIFO is shared among st atus, error, and command
results. All output from the c hip i s returned to the system as complete blocks, which are formatted identically to input blocks:
• Count
• Packet
• 2-byte CRC
After the chip r ec ei ves the first byte of an input command block , the system cannot read anyt hing from the chip until the
system has sent all the bytes to the chip.
After wake an d after executi on of a command, there will be error, status, or result bytes in the chip’s output register that can be
retrieved b y th e system. When the length of that block is four bytes, the c odes returned are detailed below in Table 8-3. Some
commands return more than four bytes when t hey execute succ es sfully: th e r esulting packet description is listed in the
command section below.
CRC errors are always returned before any other type of er ror. They indic ate that some s ort of I/O er ror occurred and that the
command may be resent to the c hip. If a command includes both parse and execution errors, there is no part i c ular precede nc e
enforced – an ex ecution error may occur befor e a parse error and/or the revers e.
Table 8-3. Status/error Codes in 4-byte Blocks
State Description Error/Status Description
Successful
Command Exec ution 0x00
Command executed successf ul ly
Checkmac
Miscompare 0x01 The CheckMac command was properly sent to the chip, but the input client
response did n ot match the expect ed v alue
Parse Error 0x03 Command was properly received, but the length, comm and opcode, or p ar ameters
are illegal, regardless of t he state (volatile and/or EEPR OM configuration) of the
ATSHA204
Changes in the value of the com m and bits must be m ade before it is re-attempted
Execution Error 0x0F Command was properly received, but could not be executed by the chip in its
current state
Changes in the chip state or the v alue of the com mand bits must be m ade before it
is re-attempted
After Wake, but prior
to first command 0x11 Indication that the ATSHA204 has received a proper wake token
CRC or other
Communications
Error
0xFF Command was not properly received by the ATSHA204, and should be re-
transmitted by the I/O driver in the system
No attempt was made to parse or execute the command
Atmel ATSHA204 [DATASHEET] 34
8740C−CRYPTO−7/11
8.1.3 Command Opcodes, Short Descriptions, and E xec uti on Times
During parsing of the parameters and subse quent executi on of a properl y received command, the chip will be busy and not
respond to transitions on t he pins. The interval during which the chip will be busy varies depending on the comm and and its
parameter values, the stat e of the chip, the e nv i r onmental conditions, and other factors per the table below.
Table 8-4. Command Opcodes, Short D escriptions, and Execution Times
Command Opcode Description Typ. Exec.
Time1, ms Max. Exec.
Time2, ms
DeriveKey
0x1C
Derive a target key value from the target or parent key
14 62
DevRev 0x30 Return device r evision information 0.4 2
GenDig 0x15 Generate a data protectio n digest from a r andom or input seed and a
key 11 43
HMAC 0x11 Calculate response from key and other inter nal data using
HMAC/SHA-256 27 69
CheckMac 0x28 Verif y a MA C c al c ulated on another Atmel CryptoAuthent ication devic e 12 38
Lock 0x17 Prevent further modificati ons to a zone of the chip 5 24
MAC 0x08 Calculat e response fr om key and other internal data us ing SHA-256 12 35
Nonce 0x16 Generate a 32-byt e r andom number a nd an internal ly stored nonce 22 60
Pause 0x01 Sel ec tively put j us t one chip on a shared bus into the idle state 0.4 2
Random 0x1B Generate a random number 11 50
Read 0x02 Read four byte s from the chip, with or without authenticati on and
encryption 0.4 4
UpdateExtra 0x20 Update bytes 84 or 85 within the configuration zone after the
configuration zone is locked 8 12
Write 0x12 Write 4 or 32 bytes to the chip, with or without authentication and
encryption 4 42
Notes: 1. Typical execut ion times are representativ e of the duratio n to execute the c ommand assuming no error
conditions, fastest mode s etting, no optional inter nal actions such as limited use keys, and favorable
environment al conditions. For best perf or mance, delay for this interval and then s tart polling to determine act ual
command completion
2. Maximum ex ecution times are represe ntative of t he longest durati on of a successf ul c ommand execut ion with al l
mode and internal actions enabled under extended statistical and environmental conditions. Execution time may
extend beyond these values in extreme situations. In mos t but not all cases, failing commands will return
relativel y qu i c kly, often well before t he typical execution time
Atmel ATSHA204 [DATASHEET] 35
8740C−CRYPTO−7/11
8.1.4 Address Encoding
The Read and Wr i te commands include a single ad dress in Param2 t hat indicates the memory to be accessed. All Reads and
Writes are in units of four bytes (one word). The mos t-signific ant byte of a legal A TSHA204 addres s is always zero. All unused
address bits s hould always be set to zero. The least-signif icant bits in the address describe the off s et to the first word to be
accessed within the block/slot, while t he upper bits specify the block /slot number per the table below:
Table 8-5. Address Encoding (Param2)
Zone
Byte 1
Byte 0
Unused Unused Block/Slot Offset
Config Bits 0 7 Bits 5 7 Bits 3 4 Bits 0 2
OTP Bits 0 7 Bits 4 7 Bit 3 Bits 0 2
Data Bits 0 7 Bit 7 Bits 3 6 Bits 0 2
Within each zone, there are v arious access restrictions per the table below:
Table 8-6. Legal Block/slot Values
Zone Legal Block/Slot
(inclusive) Notes
Config 0-2 Address es below 16 (block 0, offset 16) and above 87 (block 2, offset 23) can never be
written
Addresses ab ove 87 can never be read. Both 4- and 32-byte reads/writes are perm itted
OTP 0-1 When OTPmode is read-only, all offsets in both blocks are availabl e to use with 4- or 32-byte
reads
If OTPmode is cons umption, then writes are also p er mitted to all offsets
See Section 2.1.3 if OTPmode is Legacy
Data 0-15 All offset s i n all slots avail able for both r ead and write
4-byte access per m i tted on a part i c ular slot only if SlotConfig.IsSecret is zero
In the table below, “Byte Address” is the byt e address wit hin the data zone f or the first byte in the respective slot. Because all
Reads and Writes with the ATSHA204 are performed on a word (4-byte or 32-bit) basis, the word address in the table below
should be used for the address par am eter passed to the Read and W r i te commands.
Table 8-7. Data Zone Slots
Slot # Byte Address
(Hex) Word Address
(Hex) Slot # Byte Address
(Hex) Word Address
(Hex)
0 0x0000 0x0000
8 0x0100 0x0040
1 0x0020 0x0008 9 0x0120 0x0048
2 0x0040 0x0010
10 0x0140 0x0050
3 0x0060 0x0018
11 0x0160 0x0058
4 0x0080 0x0020
12 0x0180 0x0060
5 0x00A0 0x0028 13 0x01A0 0x0068
6 0x00C0 0x0030
14 0x01C0 0x0070
7 0x00E0 0x0038
15 0x01E0 0x007F
Atmel ATSHA204 [DATASHEET] 36
8740C−CRYPTO−7/11
8.1.5 Zone Encoding
The value in Par am1 controls which zone the c ommand accesses. See S ection 2.1.2.2, “Configuration Zone Locking,” to
obtain more information on what controls the “locked” and “unlocked” states for eac h zone. All other zone values are reserved,
and should not be used.
Table 8-8. Zone Encoding (Param1)
Zone
Name Param1
Value Size Read Write
Config 0 512 bits,
64 bytes,
2 slots
Always available Partial ly, when unl ocked
Never when locked
Never encrypt ed
OTP 1 512 bits,
64 bytes,
2 slots
Never when un l oc ked. Al ways
when locked, except in legacy
mode. See Section 2.1.3
All writeable when unlock ed using Write
When locked, write permissi ons depend on OT Pm ode
See Section 2.1.3
Data 2 4096 bits,
512 bytes,
16 slots
Never when un l oc ked.
Otherwise, con trolled by
IsSecret and EncryptRead.
All writeable when unlocked
When locked, writes contro ll ed by WriteConfig
8.1.6 Watchdog Failsafe
A watchdog counter starts within the chip af ter the ATSHA204 receives a wake token. After tWATCHDOG, the chip enters sleep
mode, regardl ess of whether some I/O t ransmission or c ommand execution is in pro gr ess. There is no way to reset t he
counter other than to put the chip into sleep or idle mode and then wake it up again.
The watchdog timer is implem ented as a fails afe mechanism so that no matter what happens on eit her the s ystem s ide or
inside the chi p, includin g any I/O synchr onization iss ue, power cons umption will f all to the ultra-low sleep level automatically.
The chip resets the values stored in the SRA M and i nternal st atus registers when it transitions to the sleep s tate. Howe ver, if
the chip is explicitly put into the idle mode through the appropriate I/O sequence, the c hip retains t he contents of the two
SRAM registers (TempKey and RNG seed).
Normally, all command sequences must complete within tWATCHDOG if they require state that is stored in the SRAM registers.
The system software can use this idle mode m ec hanism to im plement a longer com mand sequenc e than can be completed
during a single watchdog int erval.
Atmel ATSHA204 [DATASHEET] 37
8740C−CRYPTO−7/11
8.2 CheckMac Command
The CheckMac command calculates a MAC r esponse that would have been generated on a CryptoAuthe ntication chip and
compares that with an input val ue. It returns a Boolean to in dicate the success or failure of the compari son.
Prior to running this comman d, the Nonce and/or GenDig c om mands may have been optionally run to create a k ey or nonce
value in TempKey. The input mode parameter determines the s our ce of the “key” (the first 32 bytes of the SHA m essage) and
“challenge/nonce” (the s ec ond 32 bytes of the S H A message).
If the comparison matches, t hen the target EEPROM slot v al ue may be copie d into TempKe y. If KeyID is even, then the target
slot is KeyID+1, else the t ar get slot is KeyID. For the cop y to take place, the m ode parameter to CheckMac must have a value
of 0x01 and SlotConfig.Re adKey for the target key must be z ero. When CheckMac is loade d in this manner, it will not be
retained when the chip enters the idle state
Table 8-9. Input parameters
Name
Size
Notes
Opcode CHECKMAC 1 0x28
Param1 Mode 1 Bit 0: If zero, the s econd 32 bytes of the SHA message are taken from the input
ClientChal parameter. If one, the secon d 32 bytes of the message are taken
from TempKey
Bit 1: If zero, us e key[KeyID] in first SHA block. If one, use TempKey.
Bit 2: If Mode:0 or Mode:1 are set, then the valu e of this bit must m atch the value in
TempKey.SourceFlag or the command will r eturn an error.
Bit 5: If one, use 64 bits of OTP zone in calcul ation. If z er o, use 64 zeros
Bits 3-4 and 6-7: Must be zero
Param2 KeyID 2 Whic h internal key is to be used to ge nerate the response. All but bits 0:3 are i gnored
Data1 ClientChal 32 Challe nge sent to c li ent. If Mode:0 is one, then the value of this paramet er will be
ignored (though these 32 bytes MUST still appear in the input stream)
Data2 ClientResp 32 Respons e generated by the client
Data3 OtherData 13 Remaining cons tant data needed for response calculation
Table 8-10. O utput parameter
Name
Size
Notes
Result 1 Returns a single byte with a val ue of zero if ClientResp matches the internally
computed digest, one if there is a mismatch
The message that will be hashed with the SHA-256 algorithm consists of the followin g i nformation:
32 bytes key[KeyID] or TempKey (depending on mod e)
32 bytes ClientChal or TempKey (depending on mode)
4 bytes OtherData[0:3]
8 bytes OT P [0:7] (or 0s depend i ng on mode)
3 bytes OtherData[4:6]
1 byte SN[8]
4 bytes OtherData[7:10]
2 bytes SN[0:1]
2 bytes OtherData[11:12]
Atmel ATSHA204 [DATASHEET] 38
8740C−CRYPTO−7/11
8.3 DeriveKey Command
The chip combines the current value of a key with the Nonce stored in Tem pKey using SHA-256, and pla c es the result into the
target key slot . SlotConfig[TargetKey]. Bit13 must be set or Deriv eKey will r eturn an error.
If SlotConfig[TargetKey].Bit12 is zero, the source key t hat will be combined with TempKey is the tar get key specifi ed in the
command line ( Rol l Key operation) . If SlotConf ig[TargetKey].Bit12 is o ne, the source key is the parent key of the target key,
which is found in SlotConfig[TargetKey].WriteKe y (Cr eate Key operation).
Prior to execution of this command, the Nonce command must have been run to c reate a valid nonce in Tem pKey. Depending
on the state of bit two of the input mode, this nonce must have been created wit h the internal ra ndom number ge ner ator, or i t
must have bee n fixed.
If SlotConfig[TargetKey].Bit15 is set , an input MAC mus t be present and have been com puted as:
SHA-256(ParentKey, Opcode , Param1, Para m2, SN[8], SN[0:1])
where the Pare ntKey ID is always SlotConfi g[Target Key].WriteKey.
If SlotConfig[TargetKey].Bit12 or Slot C onfig[TargetKey].Bit15 is set and SlotConfig[ParentKey].Si ngleUse is also s et,
DeriveKey ret urns an error if UseFlag[ParentKey] is 0 x00. DeriveKe y ignores SingleU se and UseFlag f or the target k ey if
SlotConfig[ TargetKey].Bit12 and Slot Config[TargetKey].Bit15 are both zero.
For slots 0-7 only, if input parsing and the optional MAC ch eck succeed, Us eFlag[TargetKey] gets set to 0xFF and
UpdateCount[TargetKey] is i ncremented. If UpdateCount currentl y has a value of 255, it wraps to zero. If the command fails for
any reason, these bytes are not updated. The v alue of UpdateCount may be corr upted if power is interr upted during the
execution of DeriveKey.
Note: If the source and t arget key are the s ame, there is a risk of permanent l os s of the key value if power is
interrupted during the write operatio n. If the configur ation bits per mit it, the key slot may be recovered using an
authenticated and encrypted write based on the parent k ey
Table 8-11. Input Parameters
Name Size Notes
Opcode DERIVEKEY 1 0x1C
Param1 Random 1 Bit 2: The value of this bit must match the value in T empKey.SourceFl ag or the
command will r eturn an error
Bits 0:1, 3:7: Must be zero
Param2 TargetKey 2 Key slot to be written
Data Mac 0 or 32 Optional MAC used to validate operation
Table 8-12. O utput parameter
Name Size Notes
Success 1 Upon successful completion, t he A TSHA204 returns a value of zero
Atmel ATSHA204 [DATASHEET] 39
8740C−CRYPTO−7/11
The key written to the target slot is the result of a SHA-256 of the following message:
32 bytes Target or parent key (depending on SlotConfig Bit12)
1 byte Opcode
1 byte Param1
2 bytes Param2
1 byte SN[8]
2 bytes SN[0:1]
25 bytes Zeros
32 bytes TempKey.value
The data flow for this comma nd is shown graphically in the figure below:
Figure 8-1. Data Flow for DeriveKey Command
Match
Parent
Key Target
Key
SHA
(AUTH)
Input MAC
SHA
(Derive)
Mode
Source
Key Nonce
Atmel ATSHA204 [DATASHEET] 40
8740C−CRYPTO−7/11
8.4 DevRev Command
DevRev command returns a single four-byte word representing the revis i on number of the device. Software should not depend
on this value as it may change f r om time to time.
Table 8-13. Input Parameters
Name Size Notes
Opcode DEVREV 1 0x30
Param1 Mode 1 Must be zero
Param2 - 2 Must be zero
Data - 0 -
Table 8-14. Output Parameters
Name Size Notes
Success 4 The current device revision number
Atmel ATSHA204 [DATASHEET] 41
8740C−CRYPTO−7/11
8.5 GenDig Command
Uses SHA-256 to combine a s tored value wit h the contents of TempKey, which m us t have been va l id prior to t he execution of
this command. The stored value can come from one of the data slots, either of the OTP pages, eit her of the first two pages of
the configurat ion zone, or retrieved from the hardware transport key array. The resulting digest is retained in T em pKey, and
can be used in one of three ways:
1. It can be included as part of the message used by the MAC, CheckMac, or HMAC commands. Because the MAC
response output incorporates both the data used in the GenDig calculation and the secret key from the MAC
command, it serves to authenticate the data stored in the data and/or OTP z ones
2. A subsequent Read or Write command can use the digest t o provide authentication and/or confidentiality for the
data, in which case it is known as a data protection digest
3. You can use this command for secure personalization by using a value from the transport key array. The resulting
data protection digest would then be used by the Write Command
If Zone is two (Data) and KeyID is ≤15, the GenDig command sets TempKey.GenData to o ne and TempKe y.KeyID to the inp ut
KeyID; otherwise, TempKey.GenData is set to zero.
Regardless of how the resulting digest is c omputed, it can never be read from the chip.
If TempKe y.Valid is invalid, this comm and r eturns an err or. Upon comman d completion, t he TempKey.Vali d bit is set,
indicating that a digest has been loaded and is ready for use. The TempKe y.Valid bit is cleared when the next command is
executed. See Section 2.2 for more details.
For all KeyID values less than 0x8000, the chip uses the least-significant four bits of KeyID to deter mine the slot number from
which to retri eve the key value from the dat a zone of the EEPROM. KeyID values above 0x800 0 r eference keys stored in the
masks of the design. In any event, all 16 bits of KeyID as input to the chip are us ed as Param2 in t he SHA-256 calculation.
If the Zone parameter points to the configuration zone, then this command returns an error if the configuration zo ne is
unlocked.
When the key specified on in put to GenDig has the CheckOnly bit set, GenDi g c an be used to generate ephemeral keys
matching those generated on c l ient CryptoAuthentication chips using the DeriveKey command. K eys that have t he CheckOnly
bit set represent situations in which the c hi p is acting as a host. In thi s case, the opcode and parameter bytes that wou ld
normally be included in th e S H A calculation ar e replaced with bytes from the input stream .
Table 8-15. I nput parameters
Name Size Notes
Opcode GENDIG 1 0x15
Param1 Zone 1 If 0x00 (Conf ig): Use KeyID to specify either the first (KeyID=0) or s econd (KeyID = 1)
256-bit block of the configuration zone
If 0x01 (OTP ): Use KeyID to specify either the first or second 256-bit block of the OTP
zone
If 0x02 (Data): KeyID specifies a slot in t he data zone or a t r ansport key in t he hardware
array
All other values are reserved and m ust not be used
Param2 KeyID 2 I dentification number of the key to be used, or selection of whic h OTP block
Data OtherData 4 or 0 4 b yt es of data for SHA calculation when using a Chec kOnly key; otherwise ign or ed
Table 8-16. O utput parameter
Name Size Notes
Success 1 Upon success ful execut ion, the Atmel ATSHA204 returns a value of zero
Atmel ATSHA204 [DATASHEET] 42
8740C−CRYPTO−7/11
If Zone is data and SlotConfig[KeyID].CheckOnl y is one, the SHA-256 message body used to create the resulting new
TempKey cons ists of the following bytes:
32 bytes Data.slot[KeyID]
4 bytes OtherData
1 byte SN[8]
2 bytes SN[0:1]
25 bytes Zeros
32 bytes TempKey.value
In all other cas es , the message use to create Tem pK ey is as follows:
32 bytes Config[KeyID] or OTP[KeyID] or Data.slot[KeyID] or TransportKey[KeyID]
1 byte Opcode
1 byte Param1
2 bytes Param2
1 byte SN[8]
2 bytes SN[0:1]
25 bytes Zeros
32 bytes TempKey.value
Atmel ATSHA204 [DATASHEET] 43
8740C−CRYPTO−7/11
8.6 HMAC Command
Computes a HMAC/SHA-256 digest of a key stored in the chip, a chall enge, and other information on the chip. The output of
this command is the output of the HMAC algor ithm computed over this key and message. If the message includes the ser i al
number of the chip, the response is said to b e diversified.
The normal co mmand flow to use this command is as follows:
1. Run Nonce command to load input challenge and optionally combine it with a generated random number. The result
of this operation is a nonce stored internally on the chip
2. Optionally run GenDig command to combine one or more stored EEPROM locations in the chip with the nonce. The
result is stored internally in the chip
3. Run this HMAC command to combine the output of steps one (and step two if desired) with an EEPROM key to
generate an output response
Step two addresses multip le use models. If the data in the E E PROM is a key, GenDig has the effect of authent i c ating the
challenge with mult i ple secret k eys. Alternatively, if the contents of the slot are data (which does not have to necessarily even
be secret), GenD ig has the eff ect of authenti cating the value stored in that l oc ation.
Table 8-17. I nput parameters
Name Size Notes
Opcode HMAC 1 0x11
Param1 Mode 1 Contro ls which fields within th e c hi p are used in the mes s age
Param2 KeyID 2 Which key is to be used to generat e the response
Bits 0:3 only are used to select a slot but all 1 6 bi ts are used in the HMAC message
Data - 0 -
Table 8-18. Output parameter
Name
Size
Notes
Response 32 HMAC digest
The HMAC dig es t is computed usi ng the key at KeyID as the HMAC key over a message consisting of the foll owing
information:
32 bytes Zeros
32 bytes TempKey
1 byte Opcode (always 0x11)
1 byte Mode
2 bytes KeyID
8 bytes OT P [0:7] (or zeros, s ee Table 8-19)
3 bytes OT P [8:10] (or zeros, s ee Table 8-19)
1 byte SN[8] bits (never z er oed out)
4 bytes SN[4:7] bits (or zer os , see Table 8-19)
2 bytes SN[0:1] (never zer oed out)
2 bytes SN[2:3] (or zeros, see Table 8-19)
Atmel ATSHA204 [DATASHEET] 44
8740C−CRYPTO−7/11
See the NIST HMAC s pecification f or a complete description of how the various digests are cal c ulated us ing SHA-256, the
HMAC key, and appropriate padding. See http://csrc.nist.gov/publications/fips/fips198/fips-198a.pdf. The padding is part of the
SHA-256 message ( see Section 3.1). HMAC is a construct that sits on top of SHA-256.
Table 8-19. Mode Encoding
Bits Meaning
7 Must be zero
6 If set, include the 48 bits SN[2:3] and SN[4:7] i n the message
Otherwise, t he corresponding message bits are set t o z ero
5 Include the first 64 OTP bits (OTP[0] through OTP[7]) in t he message
Otherwise, t he corresponding messag e bits are set t o zero
If Mode[4] is set, the value of t hi s mode bit is ignor ed
4 Include the first 88 OTP bits (OTP[0] through OTP[10]) in the mes s age
Otherwise, t he corresponding message bits are set t o z ero
3 Must be zero
2 The value of this bit must match the value in T empKey.SourceFl ag or the command will return an er r or
0-1 Must be zero
Atmel ATSHA204 [DATASHEET] 45
8740C−CRYPTO−7/11
8.7 Lock Command
Write either LockConfig or LockValue to 0xFF, thereby changing the p er missions in the designated zone.
This command fails if the designated zone i s al r eady locked.
Prior to locking the chip, the ATSHA204 us es the CRC-16 algorithm to ge nerate a summa ry digest of the designated zone(s).
The calculation is made identically to the CRC computed over the inp ut and output bloc ks.
• For the configuration zone, the CRC is calculated over all 88 bytes
• For the data and OTP zones, their contents ar e conc atenated in that order to cr eate the input t o the CRC algorithm
If the input summary does not match that computed on the chip, an error is returned and the per s onalizat i on process should
be repeated.
Table 8-20. Input Parameters
Name Size Notes
Opode LOCK 1 0x17
Param1 Zone 1 Bit 0: Zero for config zone, 1 for data and OTP zones
Bits 1-6: Must be zero
Bit 7: If one, the check of t he z one CRC is ignor ed and the zone i s l oc ked, regardless
of the state of the memory. Atmel does not recomme nd us ing this mode
Param2 Summary 2 Summary of the designated zones, or should be 0x0000 if Zone[7] is s et
Data - 0 -
Table 8-21. Output Parameter
Name Size Notes
Success 1 Upon success ful execut ion, the Atmel ATSHA204 returns a value of zero
Atmel ATSHA204 [DATASHEET] 46
8740C−CRYPTO−7/11
8.8 MAC Command
Computes a SHA-256 digest of a k ey stored in the c hip, a challenge, and other information on the chip. The output of this
command is the digest of this m es sage. If t he mess age includes the serial number of the chip, the r es ponse is said to be
diversified.
The normal co mmand flow to use this command is as follows:
1. Run Nonce command to load input challenge and optionally combine it with a generated random number. The result
of this operation is a nonce stored internally on the chip
2. Optionally run GenDig command to combine one or more stored EEPROM locations in the chip with the nonce. The
result is stored internally in the chip. This capability permits two or more keys to be used as part of the response
generation
3. Run this MAC command to combine the output of step one (and step two if desired) with an EEPROM key to
generate an output response (or digest)
Alternativ ely, data in any slot (which does not have to necessaril y even be secret) c an be accumulated into the res ponse
through the same GenDig mechanism. This has the effect of authenticating the value stored in that location.
Table 8-22. Input Parameters
Name Size Notes
Opcode MAC 1 0x08
Param1 Mode 1 Controls which fields within the chip are used in the message
Param2 KeyID 2 Which internal key is to be used to gener ate the response
Bits 0:3 only are used to select a slot but all 16 bits are used in the SHA-256 m essage
Data Challenge 0 or 32 Input portion of m essage to be digested, ignored if Mode:0 is one
Table 8-23. Output Parameter
Name
Size
Notes
Response 32 SHA-256 digest
The message that will be hashed with the SHA-256 algorithm consists of the following information:
32 bytes key[KeyID] or TempKey (See Table 8-24)
32 bytes Challenge or TempKey (See Table 8-24)
1 byte Opcode (always 0x08)
1 byte Mode
2 bytes Param2
8 bytes OT P[0:7] (or zeros, s ee Table 8-24)
3 bytes OT P[8:10] (or zeros, s ee Table 8-24)
1 byte SN[8] bits (never zeroed out)
4 bytes SN[ 4:7] bits (or zeros, see Table 8-24)
2 bytes SN[ 0:1] (never zer oed out)
2 bytes SN[ 2:3] (or zeros, s ee Table 8-24)
Atmel ATSHA204 [DATASHEET] 47
8740C−CRYPTO−7/11
Table 8-24. Mode Encoding
Bits Meaning
7 Must be zero
6 If set, include the 48 bits SN[2:3] and SN[4:7] i n the message
Otherwise, t he corresponding message bits are set t o zero
5 Include the first 64 OTP bits (OTP[0] through OTP[7]) in t he message
Otherwise, t he corresponding messag e bits are set t o zero
If Mode[4] is set, the value of t hi s mode bit is ignor ed
4 Include the first 88 OTP bits (OTP[0] through OTP[10]) in the mess age
Otherwise, t he corresponding messag e bits are set t o zero
3 Must be zero
2 If either Mode: 0 or Mode:1 are set, M ode:2 must match the value in Tem pK ey.SourceFlag or the command will
return an error
1 If zero, the first 32 bytes of the SHA mess age are loaded from one of the data s l ots
If one, the fir st 32 bytes are filled with TempKey
0 If zero, the second 32 bytes of the SHA message ar e taken from t he input Challenge par ameter
If one, the second 32 bytes are f i ll ed with the value in TempKey. This mode is r ec ommended for all use
Atmel ATSHA204 [DATASHEET] 48
8740C−CRYPTO−7/11
8.9 Nonce Command
This command generates a nonce for use by a subsequent GenDig, MAC, HMAC, Read, or Write command b y combining an
internally g enerated ran dom number with an input value fr om the system. The resulting Nonce is stored internall y in TempKey
and the genera ted random number is returned to the system.
The input valu e i s designed to prevent replay at tacks against the host ─ it must be externally generated by the system and
passed into the chip using this command. It may be any value that changes c onsistently, such as a nonv olatile counter , current
real time of day, and so on, or it can be an externally generated r andom number.
To provide a Nonce value f or subsequent crypto commands, the input number and output random number are hashed
together per t he informati on listed below. The resulting digest (nonce) is always stored in the TempK ey register,
TempKey.Valid is set, and TempKey.SourceFlag is set to “Rand.” The Nonce can be used by a subsequent GenDig, Read,
Write, HMAC, or MAC command – thus, the system must externally compute this digest value and store it exter nally to
complete the execution of those commands.
Alternativ ely, this command can also be run in a pass-through mode if a f i x ed nonce is required for subsequent commands. In
this case, the input value must be 32 bytes lo ng, and it is pas sed directly to TempKey without modificat ion. No SHA-256
calculatio n is performed, and TempKe y.SourceFlag is set to “Input.” The nonce value i n TempKey may not be used with Read
or Write commands. If operated in this mode and with a repeated input number value, the chip provides no pr otection against
replay attacks.
Prior to the configuration sec tion being loc ked, the rand om number gener ator produces a value of 0xFF FF 00 00 FF FF 00 00
to facilitate testing. Thi s test value is combined with the input value in the manner described above.
Table 8-25. Input Parameters
Name Size Notes
Opode Nonce 1 0x16
Param1 Mode 1 Controls the mec hanism of the internal random num ber generator and seed update
Param2 Zero 2 Must be 0x0000
Data NumIn 20,32 Input value from system
Table 8-26. Output Parameter
Name Size Notes
RandOut 1 or 32 The output of the r andom number generator or a single byte with a value of zero if
Mode[0:1] is three
If Mode[0:1] is zero or one, the input NumIn parameter must be 20 bytes long, and the SHA-256 message body used to create
the nonce stored internally in TempK ey consists of the following:
32 bytes RandOut
20 bytes NumIn from input stream
1 byte Opcode (always 0x16)
1 byte Mode
1 byte LSB of Param2 (should always be 0x00)
Atmel ATSHA204 [DATASHEET] 49
8740C−CRYPTO−7/11
Upon completion of the com m and, TempKe y.SourceFlag i s set to “Rand.”
If Mode[0:1] is three, this command operates in pass-through mode, the input par ameter (NumI n) must be 32 bytes long, and
TempKey is loaded with NumIn. No SHA-256 calculation is performed, no data is returned to the system, and
TempKey.SourceFlag is set t o “Input.”
If Mode[0:1] is one, the automatic seed upd ate is suppressed. See Section 3.4.2 for more details.
Table 8-27. Mode Encoding
Bits Meaning
2-7 Must be zero
0-1 0: Combine new random number with NumIn, store in TempKey. Automatically update EEPROM seed on ly if
necessary prior to random num ber generatio n. R ecommended for hi ghest securi ty
1: Combine new random num ber with NumIn, store in Tem pK ey. Generate r andom number using existin g
EEPROM seed , do NOT update EEPROM seed
2: Invalid
3: Operate in p ass-through mode and write TempKey with NumIn
Atmel ATSHA204 [DATASHEET] 50
8740C−CRYPTO−7/11
8.10 Pause Command
All chips on the bus for which the configuration Selector byte does not match the i nput selector parameter will go into the idle
state. This command is used to pr ev ent bus conf li c ts in a syst em that includes multiple ATSHA204 chips sharing the same
bus.
This command differs from the idle flag/sequence in that individual chips on t he s i ngle pin bus may be selected to go into the
idle state, as opposed to the idle flag which causes all the Cr ypt oA uthentication devices on the bus into the idle state.
If the EEPROM S el ec tor byte does not match the input selector parameter, the chip will immediat ely go to the idle state and no
result information will be available. If the input selector parameter does match the configuration selector byte, t he c hip returns
a success code of 0x00.
The pause com m and cannot be used to put the chips into the sleep state.
Table 8-28. Input Parameters
Name Size Notes
Opode PAUSE 1 0x01
Param1 Selector 1 All chips that do not mat ch this value go to idle state
Param2 Zero 2 Must be 0x0000
Data - 0 -
Table 8-29. Output Parameter
Name Size Notes
Success 1 If the command indicates that some other chip should idle, the Atmel ATSHA204
returns a value of 0x00
If this chip goes to idle, no value is return ed
Atmel ATSHA204 [DATASHEET] 51
8740C−CRYPTO−7/11
8.11 Random Command
This command generates a random number f or use by the system .
Random numb er s are generated through a combination of the output of a hardware random number generator and an internal
seed value st ored in the EEPROM or SRAM. The exter nal system may choose to u pdate the internally stored EEPROM seed
value prior to t he generation of the random number as part of the execution of the nonce or random command, though the
endurance limitations of the EEPROM limi t the number of times that t hi s update can be performed. Af ter the enduranc e limit
has been reached, attempts to update the E E PROM seed ret ur n an error.
The random c ommand does not provide a mecha ni s m to integrate an input number with the internal stored s eed. If this
functionality is desired, the system should use the Nonce command and ignore the generated nonce.
Prior to the configuration sec tion being loc ked, the rand om number generator produces a value of 0xFF, 0xFF, 0x00, 0x00,
0xFF, 0xFF, 0x00, 0x00 to facilitate testing.
Note: The same internally stored seeds are used for both the Nonce and Random commands. Use of Mode=0 ensures
that the EEPROM is updated, if necessary.
Table 8-30. Input Parameters
Name Size Notes
Opode RANDOM 1 0x1B
Param1 Mode 1 Controls the mec hanism of the internal random number ge ner ator and seed update
Param2 Zero 2 Must be 0x0000
Data - 0 -
Table 8-31. Output Parameter
Name
Size
Notes
RandOut 32 The output of the random number generator
Table 8-32. Mode Encoding
Bits Meaning
1-7 Must be zero
0 0: Aut om atically update EEPROM s eed only if necess ar y prior to random number generation
Recommended for highest secur i ty
1: Generate random number using existing EEPROM seed; d o not update EEPROM seed
Atmel ATSHA204 [DATASHEET] 52
8740C−CRYPTO−7/11
8.12 Read Command
Reads words ( one 4-byte word or an 8-word bloc k of 32 bytes) from one of the memory zones of the chip. The data may
optionall y be encrypted before being returned to the system. See also Sec tion 8.1.5, “Zone Encoding,” and Sectio n 8.1.4,
“Address Encoding,” for data zone byte and wo r d addressin g i nformation.
If reading from a slot in which SlotConfig.EncryptRead is set, the GenDig command must have been r un prior to the e x ecution
of this command to generate the k ey that will be used for encryption. The input nonce to GenDig must hav e been a random
number, and the key specified in SlotConf ig.ReadKe y mus t have been us ed in the GenDig cal culation.
The chip encr ypts data to be r ead by XORing each byte read f r om the EEPROM with the corresponding byt e from TempKey.
Encrypted reads of the configuration and/or OTP zones are not permitted.
The byte addresses to be read s hould be divided by four (drop the least-significant two bits) befor e being passed to the chip. If
32 bytes are b eing read, the least-significant three bits of the input address are ign or ed. Address es beyond the end of the
specified zone result in an error.
The following restrictions apply to the three zones:
Config The words within this z one are al ways readable using this command, regardless of the value of LockConfig.
See Section 2.1.1, as some bytes are unreadable under a ny circumstances, and any att empt to read these
bytes result in an error.
OTP If the OTP zone is unlocked, this command returns an error. Once loc ked, if OTPmode is set to a non-zero
value and the address points to either word zero or one, then the com mand also retur ns an error. Otherwise,
the corresponding word within the OT P zone is returned in t he clear. If OTPm ode i s Legac y, then only four
byte reads are perm i tted.
Data If the data zone is unlocked, this com m and returns an er ror. Otherwise, the values within the correspon ding
SlotConfig word control acc ess to the data s lot. If Slot Config.IsSec ret is set and a four byte read is
attempted, t he chip returns an error. If EncryptRead is set , this command encrypts the data as specified
above. If IsSecret is set and Enc ryptRead is clear, this command returns an error. If IsSecret is clear and
EncryptRead is clear, this command returns the desired s lot in the clear.
Table 8-33. Input Parameters
Name
Size
Notes
Opcode READ 1 0x02
Param1 Zone 1 Bits 0 and 1: Select among config, OTP, or data. See S ection 8.1.5
Bits 2-6: Must be zero
Bit 7: If one, 32 bytes are read; otherwise four bytes are read. Must be zero if r eading from
OTP zone
Param2 Address 2 Address of first word to be read within the zone. See Section 8.1.4
Data - 0 -
Table 8-34. Output Parameter
Name Size Notes
Contents 4 or 32 The content s of the specified memory location
Atmel ATSHA204 [DATASHEET] 53
8740C−CRYPTO−7/11
If reading the data zone and the EncryptRead bit is set in t he c orrespondin g S l otConfig word, the following ac tions are t ak en to
encrypt the data:
All of the TempKey register b i ts must be proper ly set as follo ws, or this command r eturns an error:
TempKey.Valid == 1
TempKey.GenData == 1
TempKey.KeyID == SlotConfig.ReadKey
TempKey.SourceFlag == “R and”
XOR the data from the memory zone with TempKey. Return as “Contents.”
Atmel ATSHA204 [DATASHEET] 54
8740C−CRYPTO−7/11
8.13 UpdateExtra Command
This command is used to update the values of the two “extra” bytes within the configur ation zone (location 84 and 85) after the
configuration zone has be en locked.
If the mode par am eter indicat es UserExtra a t address 84:
If the current value in UserExtra (byte 84 of configuration zone) is zero, then UpdateExtra writes this byte with the LS byte
of NewValue and returns success.
If the current value in UserExtra is non-zero, the command returns an execut ion error.
If the mode par am eter indicat es selector at a ddr ess 85:
If SelectorM ode (byte 19 of the configuration zone) is non-zero and Selector (byte 85 of the configuration zone) is z ero,
this command wil l write Selector with the LS byte of NewValue and return success. Once written to a no n-zero value, it is
then locked against further updating.
If SelectorM ode has a value of zero, indicating that no check of the current S elector should be made, this command
always updates Selector an d always succ eeds.
Table 8-35. Input Parameters
Name Size Notes
Opode UPDATEEXTRA 1 0x20
Param1 Mode 1 Bit 0: If zero, update config byte 84.
If one, update config byte 85.
Bits1-7: Must be zero
Param2 NewValue 2 LSB: Value to optio nally be writt en to location 84 or 85 in configuration zone
MSB: Must be 0x00
Data - 0 -
Table 8-36. Output Parameter
Name Size Notes
Success 1 If the memory byte was updated, this command returns a value of 0x0 0
Otherwise, it returns an Execution error
Atmel ATSHA204 [DATASHEET] 55
8740C−CRYPTO−7/11
8.14 Write Command
Writes either a one 4-byte word or an 8-word block of 32 b yt es to one of the EE PROM zones on the chip. Depending on the
value of the WriteConfig byt e for this slot the data may be required to be encrypted by t he system prior to being sent to the
chip.
The following restrictions apply to writes within zones using this com m and:
Config If the Config zo ne i s l oc ked or Zone: 6 i s set, this comm and returns an er ror. Otherwise the bytes are written
as requested. Any attempt to write any byte for which Writes are permanentl y prohibite d (per Section 2.1.1)
results in a command error with no modifications to the EEPRO M.
OTP If the OTP zone is unlocked, all bytes can be written with this comma nd. If the OTP zone is locked and the
OTPmode byte is read-only or legacy, the n this command returns an error. Otherwise, OTP mode sho uld be
consumption and this comma nd sets to zero those bits in the OTP zone that correspond t o the zero bits in
the input para meter value. When the OTP zone is locked, encrypted writes to it are neve r permitted
regardless of OTPmode.
Data If the data zone is unlocked, all bytes in all zones can be written with either plain text or enc rypted data.
After the data z one i s locked, t he v alues within the WriteConfig bytes contr ol access to t he data slots. If the
WriteConfig bits for this slot are set to “always”, the input data should be passed to the c hip in the clear. If
Bit:14 of Slot Config is set to one, the input data should be encrypted and an input MAC calculated.
Four byte writes are only permitted in the data and OTP zones if all four of the following conditions are met:
• SlotConfig.IsSecret must be zero
• SlotConfig.WriteConfig must be “always”
• The input data must not encrypted
• The data/OTP zones must be locked
Four byte writes will return an error under all other circum s tances.
The least significant three bits of Param2, Address[0:2], indicat e the word within the block, or are ignored if an ent i r e 32 byte
block is being written. Address[3:6] contains the slot num ber for writes to the data zone, or the block number for the Config
and OTP zones. Address values beyond the size of the specifi ed zone result in the command r eturning an error.
An y a ttempt to write the OTP and/or data zones prior to the configuration s ec tion being locked results in the chip returning an
error code.
8.14.1 Input Data E ncryption
The input data may be encrypted to prevent snooping on th e bus during pers onalizatio n or system oper ation. The system
should encrypt the data by XOR’ing the plain text with the current value in T empKey. Upon receipt the chip will XOR the inp ut
data with TempKey to r es tore the plain text prior to writing to the EEP R OM.
Whenever the input data is encrypted an authorizing i nput MAC is always required when writing t he data zone. T hi s MAC is
computed as:
SHA-256(Tem pK ey, Opcode, P ar am1, Param2, SN[8], SN[0:1] , <25 bytes of 0’s >, PlainTextD ata )
Prior to locking of the OT P /Data zones, Zone:6 is used to indicate to the chip whether or not t he i nput data is encrypted. After
locking of the OTP/Data z ones, Zone:6 is ig nor ed and only bit 14 of the slotConf ig corresponding to the slot being written is
used to determine whether or not the input data is encrypted.
If data encr yption is indicated, TempKey must be valid prior to this command being c alled, it must be the result of GenDig.
Specifically, this means that TempKey. V alid and Tem pKey.GenDig mus t both be set to o ne. Prior to dat a l oc king, any key can
be used to generate TempKey. After locking , the last slot us ed by GenDig for TempKey creation and stored in
TempKey.KeyID must mat c h that in SlotConfig.WriteKey and the rand om number gen er ator must have been used to originally
generate TempKey prior to GenDig.
Atmel ATSHA204 [DATASHEET] 56
8740C−CRYPTO−7/11
Table 8-37. Input Parameters
Name Size Notes
Opcode Write 1 0x12
Param1 Zone 1 Bits 0 and 1: Select among co nfig, OTP or dat a. See Section 8.1.5
Bits 2-5: Must be zero
Bit 6: If one, the input data must be encrypted. Must be zero if data/OTP zones ar e
locked
Bit 7: If one, 32 bytes will be written; otherwise, four b ytes are written
Param2 Address 2 Address of first word to be written within the zone. See S ection 8.1.4
Data_1 Value 4 or 32 Information to be written to th e z one; may be encr ypted
Data_2 Mac 0 or 32 Message authentication code to vali date address and data
Ignored if zone is unlocked
Table 8-38. O utput parameter
Name Size Notes
Success 1 Upon s uc cessful completion, t he A tmel ATSHA20 4 r eturns a value of zero
Atmel ATSHA204 [DATASHEET] 57
8740C−CRYPTO−7/11
9. Compatibility
The ATSHA204 i s designed to be upwards compatible with the AT88SA102S f or field operation. Most s ystems designed to
use the AT88SA 102S in client devices will work perfectly with the ATSHA204 in the clie nt devices without any modif i c ation to
the host syste m software or hardware.
Host systems t hat utilize the AT88SA10HS host device will also inter operate properly with the A TSHA204 cli ent device in
place of a previously used AT88S A 102S client. However, the AT88SA10HS itself cannot be replace d with the ATSHA204
without software modifications. With the appropriate s oftware updates, the ATSHA204 can implement all the functions o f an
AT8810HS hos t chip and conti nue to properly communicate with client AT88SA102S chips.
For compatibi li ty with the AT88SA102S, t he following values should be written to the memory of the ATSHA204:
1. During configuration, OTPmode should be set to Legacy to hide the values of the first 64 bits of the OTP section,
which contain a secret in the Atmel AT88SA102S
2. The same secret and status information that would have been written to the first 88 fuse bits of the Atmel
AT88SA102S should be written to the first 88 bits of the OTP section on the Atmel ATSHA204
3. OTP bits 88 through 127 should be written with copies of the values stored in SN[4:8] within the configuration section
of the Atmel ATSHA204 chip. The read command on legacy systems will always use the values in the OTP section
while the Atmel ATSHA204 always uses the values in the configuration zone during the computation of cryptographic
results
4. The key slot identified by the least significant four bits of the Atmel AT88SA102S KeyID assigned to a particular
customer should be loaded with the Atmel-provided value for that key
5. The SlotConfig bits for the key slot identified in step four should be set to: CheckOnly=0, SingleUse=0,
EncryptRead=0, IsSecret=1, WriteConfig=1000
The following compatibili ty exceptions apply:
• Those Atmel AT88SA102S systems using the BurnFuse command on the client device cannot be replaced with the
Atmel ATSHA204, as the corresponding command is not available on the Atmel ATSHA204. The same capability is
implemented with the Write command, but system software modifications are necessary
• Those Atmel AT88SA102S systems in which the system software reads and depends on a fixed value for the chip
revision number (RevNum at ROM address one) will find a different value in the Atmel ATSHA204
Note: This value is not guaranteed to be identical for all Atmel AT88SA102S chips
• Systems including multiple Atmel AT88SA102S and/or Atmel AT88SA10HS chips on a shared single-wire bus
cannot be replaced with the Atmel ATSHA204, as the Pause command operates differently
• The key diversification strategy implemented by the Atmel ATSHA204 (when operating as a host) is different from
the similar strategy used by the Atmel AT88SA10HS. The Atmel ATSHA204 can be used as a host authentication
device for Atmel ATSHA204 clients that include diversified keys, but those clients will not work interchangeably with
Atmel AT88SA102S clients
• Because of the difference in the nonvolatile memory technology and size, the secure personalization mechanism is
different on the Atmel ATSHA204 as compared to the Atmel AT88SA10HS and Atmel AT88SA102S. Users will need
to modify their manufacturing processes and pr ocedures accordingly
• The Atmel ATSHA204 cannot replace a client Atmel AT88SA100S chip used for batteries and other self-powered
systems
Atmel ATSHA204 [DATASHEET] 58
8740C−CRYPTO−7/11
10. Mechanical
10.1 Pin-out
The chip is offered in multipl e packages: 3-lead SOT23, 8-lead SOIC, 8-lea d TSSOP and 8-pad UDFN. The pin-outs are as
follows:
Table 10-1. Package Pinouts
Name SOT23-3 LD SOIC-8LD, TSSOP-8LD, UDFN-8 pad
SDA 1 5
SCL − 6
VCC 2 8
GND 3 4
NC − 1, 2, 3, 7
10.2 Wiring Configuration for Single-wire Interface
Using the sing le-wire interface al lows the connec tion of the ATSHA204 to a host us ing only a sing le pin (SDA) to t ransfer data
in both directions. This i nterface does not use the SCL pin. In this configuration, no bypass capacit or is required to connect the
chip to the syst em .
To prevent f or wa r d biasing th e internal diod e and drawing c ur rent across power planes in the system, the res i s tor pull-up on
the SDA pin should either be connected to the same supply that is conne cted to the V CC pin or to a lower vol tage rail.
If the signal l evels for SDA ar e different f r om the VCC voltage, consult the parametr i c specifications section of this document to
ensure that t he signal levels are such that excessive leakage current will be mi nimized when in sleep modes. This situati on
might occur if t he ATSHA204 c hi p is physically distant f r om the bus master chip and the supply voltage for the bus master i s
different from the supply vo l tage for the ATSHA204.
Figure 10-1. Three-wire Configuration for Single-Wire Interface
Atmel ATSHA204 [DATASHEET] 59
8740C−CRYPTO−7/11
11. Package Drawings
3TS1 ─ SOT23
TITLE DRAWING NO.GPC REV.
Package Drawing Contact:
packagedrawings@atmel.com 3TS1TBG A
3TS1, 3-lead, 1.30mm Body, Plastic Thin
Shrink Small Outline Package (Shrink SOT)
11/5/08
COMM ON DIMENSIONS
(Unit of Measure = mm)
SYMBOL MIN NOM MAX NOTE
A0.89 - 1.12
A
1
0.01 - 0.10
A
2
0.88 - 1.02
D2.80 2.90 3.04 1,2
E2.10 - 2.64
E
1
1.20 1.30 1.40 1,2
L
1
0.54 REF
e1 1.90 BS C
b0.30 - 0.50 3
1. Dimension D does not include mold flash, protrusions or gate burrs. Mold flash,
protrusions or gate burrs shall not exceed 0.25mm per end. Dimension E1 does
not include interlead flash or protrusion. Interlead flash or protrusion shall not
exceed 0.25mm per side.
2. The package top may be smaller than the package bottom. Dimensions D and E1
are determined at the outermost extremes of the plastic body exclusive of mold
flash, tie bar burrs, gate burrs and interlead flash, but including any mismatch
between the top and bottom of the plastic body.
3. These dimensions apply to the flat section of the lead between 0.08mm and
0.15mm from the lead tip.
This drawing is for general information only. Refer to
JEDEC Drawing TO-236, VariationAB for additional
information.
e1
Atmel ATSHA204 [DATASHEET] 60
8740C−CRYPTO−7/11
8X – TSSOP
Package Drawing Contact:
packagedrawings@atmel.com
DRAWING NO. REV.TITLE GPC
COMM ON DIMENSIONS
(Unit of Measure = mm)
SYMBOLMIN NOM MAX NOTE
A - - 1.20
A1 0.05 -0.15
A2 0.80 1.00 1.05
D2.90 3.00 3.10 2, 5
E6.40 BSC
E1 4.30 4.40 4.50 3, 5
b0.19 –0.30 4
e0.65 BSC
L0.45 0.60 0.75
L1 1.00 REF
C0.09 -0.20
Side View
End View
Top View
A2
A
L
L1
D
1
E1
N
b
Pin 1 indicator
this c or ner
E
e
Notes: 1. This drawing is for general information only. Refer to JEDEC
Drawing MO-153,VariationAA, for proper dimensions,
tolerances, datums, etc.
2. Dimension D does not include mold Flash, protrusions or gate
burrs. Mold Flash, protrusions and gate burrs shall not exceed
0.15 mm (0.006 in) per side.
3. Dimension E1 does not include inter-lead Flash or protrusions.
Inter-lead Flash and protrusions shall not exceed 0.25 mm
(0.010 in) per side.
4. Dimension b does not include Dambar protrusion.Allowable
Dambar protrusion shall be 0.08 mm total in excess of the b
dimension at maximum material condition. Dambar cannot be
located on the lower radius of the foot. Minimum space between
protrusion and adjacent lead is 0.07 mm.
5. Dimension D and E1 to be determined at Datum Plane H.
8X D
6/22/11
8X, 8-lead 4.4mm Body, Plastic Thin
Shrink Small Outline Package (TSSOP) TNR
C
A1
Atmel ATSHA204 [DATASHEET] 61
8740C−CRYPTO−7/11
8Y6 ─ UDFN
Package Drawing Contact:
packagedrawings@atmel.com
DRAWING NO.GPC REV.TITLE
8Y6YNZ E
11/21/08
8Y6, 8-lead, 2.0x3.0mm Body, 0.50mm Pitch,
UltraThin Mini-MAP, Dual No Lead Package
(Sawn)(UDFN)
COMMON DIMENSIONS
(Unit of Measure = mm)
SYMBOL MIN NOM MAX NOTE
1.40
–
–
0.00
–
0.20
0.20
D
E
D2
E2
A
A1
A2
A3
L
e
b
2.00 BSC
3.00 BSC
1.50
–
–
0.02
–
0.20 REF
0.30
0.50 BSC
0.25
1.60
1.40
0.60
0.05
0.55
0.40
0.30 2
A2
Pin 1
Index
Area
A3
D
E
b
(8X)
Pin 1 ID
A1
A
L (8X)
e (6X)
1.50 REF.
D2
E2
Notes: 1. This drawing is for general information only. Refer to
JEDEC Drawing MO-229, for proper dimensions,
tolerances, datums, etc.
2. Dimension b applies to metallized terminal and is
measured between 0.15mm and 0.30mm from the
terminal tip. If the terminal has the optional radius on
the other end of the terminal, the dimension should not
be measured in that radius area.
3. Soldering the large thermal pad is optional, but not
recommended. No electrical connection is
accomplished to the device through this pad, so if
soldered it should be tied to ground
Atmel ATSHA204 [DATASHEET] 62
8740C−CRYPTO−7/11
8S1 ─ SOIC
Package Drawing Contact:
packagedrawings@atmel.com
DRAWING NO. REV.TITLE GPC
COMMON DIMENSIONS
(Unit of Measure = mm)
SYMBOL MIN NOM MAX NOTE
A1 0.10 –0.25
A1.35 –1.75
b0.31 –0.51
C0.17 –0.25
D4.80 –5.05
E1 3.81 –3.99
E5.79 –6.20
e1.27 BSC
L0.40 –1.27
0° –8°
Ø
E
1
N
TOP VIEW
C
E1
END VIEW
A
b
L
A1
e
D
SIDE VIEW
8S1 G
6/22/11
Notes: This drawing is for general information only.
Refer to JEDEC Drawing MS-012, Variation AA
for proper dimensions, tolerances, datums, etc.
8S1, 8-lead (0.150” Wide Body), Plastic Gull
Wing Small Outline (JEDEC SOIC) SWB
Atmel ATSHA204 [DATASHEET] 63
8740C−CRYPTO−7/11
12. Orderi n g Inf or m ati on
Atmel ordering code
Package type
Interface configuration
ATSHA204-SH-CZ-T SO IC, tape and reel Single-wire
ATSHA204-SH-DA-T SOIC, tape and reel I2C
ATSHA204-SH-DA-B SOIC, bulk in tubes I2C
ATSHA204-TH-CZ-T TSSOP, tape a nd reel Single-wire
ATSHA204-TH-DA-T TSSOP, tape and reel I2C
ATSHA204-TSU-T SOT3LD, tape and reel Single-wire
ATSHA204-MAH-CZ-T(1) UDFN 8LD, tape and reel Single-wire
ATSHA204-MAH-DA-T(1) UDFN 8LD, tape and reel I2C
Note: 1. Cont act Atmel f or availability
13. Revisi o n Hi stor y
Doc. Rev.
Date
Comments
8740C 07/2011 Table 8-4, Co m mand Opcodes, Short Descriptions, and Execution Times
- Change Up dateExtra command for T yp from 4 to 8 and Max from 6 to 12
Change Mode:6 to Zone:6
Edit/update Write Command section
Update templ ate
8740B 04/2011 Document update
8740A 03/2011 Initial document release
14. Errata
The design should ensure th at all IO pin level s are within t he datasheet limits of VSS-0.5V and VCC+0.5V . The same po wer
supply signal net should be used for both the IO driver, the VCC pin on the S H A 204 and any pull -up r esistor on the S DA pin.
Failure to adh ere to these requirements may result in increased susceptibility to latchup.
Atmel Corporation
2325 Orchard Parkway
San Jose, CA 95131
USA
Tel: (+1)(408) 441-0311
Fax: (+1)(408) 487-2600
www.atmel.com
Atmel Asia Limited
Unit 01-5 & 16, 19F
BEA Tower, Millennium City 5
418 Kwun Tong Road
Kwun Tong, Kowloon
HONG KONG
Tel: (+852) 2245-6100
Fax: (+852) 27 22-1369
Atmel Munich GmbH
Business Campus
Parkring 4
D-85748 Garching b. Munich
GERMANY
Tel: (+49) 89-31970-0
Fax: (+49) 89-3194621
Atmel Japan
9F, Tonetsu Shinkawa Bldg.
1-24-8 Shinkawa
Chuo-ku, Tokyo 104-0033
JAPAN
Tel: (+81)(3) 3523 -3551
Fax: (+81)(3) 3523 -7581
© 2011 Atmel Corporation. All rights reserved. / Rev.: 8740C−CRYPTO−7/11
Atmel®, logo and combinations thereof, and others are registered trademarks or trademarks of Atmel Corporation or its subsidiaries. Other terms and product
names may be trademarks of others.
Disclaimer: The information in this document is provided in connection with Atmel products. No license, express or implied, by estoppel or otherwise, to any intellectual property right is granted by this
document or in connection with the sale of Atmel products. EXCEPT AS SET FORTH IN THE ATMEL TERMS AND CONDITIONS OF SALES LOCATED ON THE ATMEL WEBSITE, ATMEL ASSUMES
NO LIABILITY W HATSOEVER AND DISCLAIMS ANY EXPRESS, IMPLIED OR STATUTORY WARRANTY RELATI NG TO ITS PRODUCTS INCLUDING, BUT NOT LIMITED TO, THE IMPLIED
WARRANTY OF MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE, OR NON-INFRINGEMENT. IN NO EVENT SHALL ATMEL BE LIABLE FOR ANY DIRECT, INDIRECT,
CONSEQUENTIAL, PUNIT IVE, SPECIAL OR INCIDENTAL DAMAGES (INCLUDING, WITHOUT LIMITATION, DAMAGES FOR LOSS AND PROFITS, BUSINESS INTERRUPTION, OR LOSS OF
INFORMATION) ARISING OUT OF THE USE OR INABILITY TO USE THIS DOCUMENT, EVEN IF ATMEL HAS BEEN ADVISED OF THE POSSIBILITY OF SUCH DAMAGES. Atmel makes no
representations or warranties with respect to the accuracy or completeness of the contents of this document and reserves the right to make changes to specifications and products descriptions at any time
without notice. Atmel does not make any commitment to update the information contained herein. Unless specifically provided otherwise, Atmel products are not suitable for, and shall not be used in,
automotive applications. Atmel products are not intended, authorized, or warranted for use as components in applications intended to support or sustain life.
