The USB Implementers Forum has announced a new addition to the USB Type-C specification, which is projected to restrict usage of uncertified or potentially malicious accessories with reversible USB-C connectors. The USB Power Delivery 3.0 specification contains a special extension called, the USB Type-C Authentication specification, which promises to help host devices to identify chargers, cables, storage solutions and hosts before making connections. However, to take advantage of the tech, new devices will be needed.

USB interconnections are expected to get more popular than ever thanks to convenience of reversible USB Type-C, its ability to deliver up to 100W of power and support for custom features. However, expanded functionality requires more sophisticated cables with multiple wires and special ID chips, which are more expensive to make than traditional USB cables. As it turned out in the recent months, many cheap cables are not compliant with USB-IF’s requirements; they either do not support high data-rates, cannot charge USB-C devices, or may even damage products they are connected to. The USB authentication promises to end frustrations and make future USB-C devices a little more secure, as an added bonus.

Devices compliant with the USB PD 3.0’s USB-C authentication tech will be able to verify capabilities of accessories compliant with the authentication technology and whether or not they have been certified by the USB-IF. The verification information will be exchanged right after devices are connected, before any data or energy is transferred. The USB-IF will make it possible to set up policies that will restrict usage of incompatible or uncertified accessories with particular host devices.

The USB-C authentication will divide accessories into three types: USB devices, USB power delivery devices (e.g., chargers) and USB Type-C alternate mode devices (e.g., displays). The authentication data messages will be transmitted using different communication paths (USB bus, USB PD or mixed) and will be encrypted using 128-bit methods.

USB Type-C Authentication  Cryptographic Methods
Method Use
Framework (ITU X.509)
OID (ITU-T X.402)
DER-encoding (ITU-T X.690)
Certificate format
ECDSA (ANSI X9.62) using NIST P-256 curve (NIST-FIPS-186-4) Digital signing of certificates and authenticationmessages
SHA256 (NIST-FIPS-180-4) Hash algorithm
NIST-compliant PRNG source (SP800-90A) seeded with a 256-bit fullentropy value (SP800-90B) Random numbers

Based on what is known about the USB authentication, the technology can restrict usage of uncertified cables only in cases their usage is prohibited by manufacturers or end-users users themselves. Moreover, it will only be completely supported by fully-featured cables compatible with the USB Power Delivery 3.0 specifications, which will contain a chip with ID as well as optional vendor defined messages.

According to the USB-IF, it is possible to add the USB-C authentication protocol to host devices by updating their software and firmware, but that will depend on device manufacturers. Since it is not feasible to update things like chargers or cables, they will need to be replaced, or, their usage should be permitted by software-defined security policies. Owners of PCs, tablets and smartphones will be able to authorize only certain accessories to work with their devices, making it impossible to plug a USB flash drive to a host containing confidential data. Nonetheless, once an accessory is authorized, it will be able to work with hosts, harm them or even infect them with viruses. Therefore, the new USB technology is not a replacement for antiviruses.

It remains to be seen how different manufacturers take advantage of the new technology. If implemented too strictly, some hosts may get incompatible with the majority of cheap USB-C products on the market.

At present we do not know when the USB-IF plans to start certification of devices with the USB authentication technology and how the organization plans to certify thousands of cables and chargers. Perhaps, Intel, the company that developed the USB PD 3.0, will reveal more information at its IDF trade-show in the coming days, so, stay tuned.

Source: USB-IF (via Ars Technica)

POST A COMMENT

28 Comments

View All Comments

  • Manch - Thursday, April 14, 2016 - link

    LOL, I was wondering what he was on about... Reply
  • JoeyJoJo123 - Thursday, April 14, 2016 - link

    It's pretty easy to mistake this tech as being the return of HDCP, but on USB type-C. The article isn't actually very clear on what/why these interconnects would need to be protected, and the thing most people think of is HDCP and the usage of HDCP strippers to bypass that. Reply
  • chaos215bar2 - Thursday, April 14, 2016 - link

    The return of HDCP? HDCP, sadly, doesn't seem to be going anywhere despite being a very real annoyance to legitimate users and irrelevant to the pirates it purports to stop. Reply
  • Guspaz - Thursday, April 14, 2016 - link

    Not quite: HDCP is full-blown encryption, while this is just authentication.

    Why this is needed is because the proliferation of incorrectly made unlicensed USB-C cables has become something of a crisis where the cheap laptops started destroying phones and laptops. Something had to be done to ensure that using a USB-C cable doesn't fry your device, and I'm not sure what else they could do to prevent that short of an authentication mechanism like this.
    Reply
  • Guspaz - Thursday, April 14, 2016 - link

    Sorry, I meant "where the cheap cables", not "where the cheap laptops". Reply
  • barleyguy - Friday, April 15, 2016 - link

    What I was picturing when I read this is a company, most likely Apple, creating a device that only authenticates with USB-C cables of a specific brand. Which seems completely possible under this spec.

    If that does happen, that's the thing that will be hacked in about a week.
    Reply
  • zodiacfml - Friday, April 15, 2016 - link

    Thinking the same thing while reading it. They will be able circumvent the new feature. Reply
  • Samus - Thursday, April 14, 2016 - link

    All the sudden Apple's MFi certification doesn't seem so ridiculous Reply
  • damianrobertjones - Thursday, April 14, 2016 - link

    ...Yet you can still buy really crappy cables and chargers? Reply
  • Samus - Friday, April 15, 2016 - link

    If a non-MFi cable is used, it's charge rate is restricted to 100mah.

    Face it, I don't like Apple anymore than you probably do, but they were right to future proof lightening with a certification circuit considering it will inevitably be used for USB-C like it is on the MacBook.
    Reply

Log in

Don't have an account? Sign up now