It’s been nearly three years in the making, but the USB Implementers Forum (USB-IF) has launched the USB Type-C Authentication Program. It’s a way for OEMs to implement the USB Type-C Authentication spec that defines the cryptographic-based authentication methods used to protect systems from firmware, hardware, or software threats, an even power surges from non-compliant chargers.
OEMs get control over the actual security policies that they put in place, but the specification allows them to use a standard protocol to do so. “Using this protocol, host systems can confirm the authenticity of a USB device, USB cable or USB charger, including such product aspects as the capabilities and certification status,” said the USB-IF in a press release. The authentication occurs at the moment the wired connection happens, the group said, “before inappropriate power or data can be transferred,” and it can be via the USB data bus or USB PD communications channels.
The spec uses 128-bit security and “existing internationally-accepted cryptographic methods for certificate format, digital signing, hash and random number generation.” DigiCert is managing the Public Key Infrastructure (PKI) and certificate authority services for the program, a fact the group touted in its own press release. Participation in the program is voluntary for OEMs.
There are obvious practical applications for this technology. One is avoiding wonky USB Type-C chargers, which is a well-documented and immensely frustrating hazard of owning a USB Type-C device. Instead of playing Russian roulette with a third party charger, whether it’s one you buy from Amazon or a charging port at a public terminal, the authentication should ameliorate any dangerous connections. Sure, you may end up without the ability to juice up your phone at the airport, but it’s better than the alternative.
Another scenario that the USB-IF noted is when an organization needs to secure its IP (or state secrets, or whatever) on laptops that travel with their personnel. They can implement a policy that will allow only verified storage devices to connect with the systems.
That is all marvelous, but because every tool can be a weapon when used improperly and we can’t have anything nice, there are fears that this program is essentially a DRM mechanism. Indeed, it gives OEMs a lot of control over those ports, and that control could be abused to, for example, lock out competitors’ devices. The practicality of such restrictions seems meager, though; that would be an awfully aggressive vertical integration strategy.
It does, though, follow the USB-IF’s strategy of making USB Type-C an eminently flexible connector, made more (or less) powerful by the protocols a port supports. The whole USB Type-C plan was about using one connector to support all manner of protocols, from Thunderbolt 3 to Power Delivery, and letting OEMs figure out which ones they wanted to implement.
This has backfired a bit, though, because you can’t tell by looking a given USB Type-C port what it actually offers. Does it have USB 3.1 Gen 2? Thunderbolt 3? And so on. (You’re supposed to be able to tell at a glance, but OEMs don’t always use the labeling code that the USB-IF created. Sigh.)
It’s ultimately probably for your own good, but now you can add “Are these two devices that share a universal physical connector actually compatible, or is the authentication failing?” to your list of troubleshooting questions to ask when things go awry.