USB-C adds authentication protocol

USB-C Adds Authentication Protocol

The USB 3.0 Promoter Group has announced it has devised and will adopt a new “USB Type-C Authentication specification.”

The specification means makers of USB devices will be able to encode them with information about their source and function. When connecting to those devices, machines like computers or phones will be able to read that descriptor and choose to connect, or not, depending on policies.

The USB 3.0 Promoter group says “For a traveller concerned about charging their phone at a public terminal, their phone can implement a policy only allowing charge from certified USB chargers.” Or perhaps you're worried that your organisation's laptop fleet could be compromised by rogue USB devices, in which case you “can set a policy in its PCs granting access only to verified USB storage devices.” It's not clear if that will allow organisations to specify individual devices, or just devices whose manufacturers have implemented the spec.

USB-C needs this spec for two reasons. Once USB-C becomes ubiquitous and makes a single wire responsible for carrying power and data, hackers will likely exploit opportunities through chargers or devices.

The second is that there are lots of second-rate electronic such as poorly-wired cables capable of destroying equipment. Amazon.com recently banned the sale of non-compliant cables from its web site. If devices flag such parts as sub-standard, or refuse to connect to them, it's therefore good news for the end user.

Details of the specification can be found in the revised USB 3.1 spec (54MB .ZIP file. The TL:DR version is that it “references existing internationally-accepted cryptographic methods for certificate format, digital signing, hash and random number generation,” so it sounds like a conventional issue-certificates-and-check-them protocol.