USB Type C to get authentication programme

Published by at

The USB Implementers Forum (USB-IF), the support organization for the advancement and adoption of USB technology, has announced the launch of its USB Type-C Authentication Program, "marking an important milestone for the optional USB security protocol". The USB Type-C Authentication specification defines cryptographic-based authentication for USB Type-C chargers and devices.

From Business Wire:

USB Type-C Authentication empowers host systems to protect against non-compliant USB chargers and to mitigate risks from malicious firmware/hardware in USB devices attempting to exploit a USB connection. Using this protocol, host systems can confirm the authenticity of a USB device, USB cable or USB charger, including such product aspects as the capabilities and certification status. All of this happens right at the moment a connection is made – before inappropriate power or data can be transferred.

Key characteristics of the USB Type-C Authentication solution include:

  • A standard protocol for authenticating certified USB Type-C chargers, devices, cables and power sources
  • Support for authenticating over either USB data bus or USB Power Delivery communications channels
  • Products that use the authentication protocol retain control over the security policies to be implemented and enforced
  • Relies on 128-bit security for all cryptographic methods
  • Specification references existing internationally-accepted cryptographic methods for certificate format, digital signing, hash and random number generation

USB-IF selected DigiCert to manage the PKI and certificate authority services for the USB Type-C Authentication Program. For further details, read the DigiCert announcement.

Which is all very well and sounds good - the potential for a dodgy power bank to also hook up with a hosted file system and deliver malware has always been there. Though in practice you'd have to wonder whether it would all really be worthwhile for an accessory maker - the malware would have to be very tightly targetted for any rewards to make their way back to the people spending money on manufacturing and distribution.

So consider the threat a little theoretical. And it will take a few years before all OS and accessory makers are onboard. In short, don't worry, and also don't hold your breath for this being implemented across the board.

Source / Credit: Business Wire