Authentication, in this case, is proving the identity of a device attempting to connect across a network using asymmetric cryptography.
Called ‘Trust Platform’, this is a ‘pre-provisioned’ hardware-based secure key storage system, which also offers solutions for mid and high-volume deployments.
“Hardware-based security is the only way to protect secret keys from physical attacks and remote extraction, but extensive security expertise, development time and costs are required to configure and provision each device,” according to the firm. “Manufacturers typically have only been able to support configuring and provisioning for high-volume orders, leaving companies with low- to mid-sized deployments with low performing options.”
The hardware involved is the firm’s existing ATECC608A secure element, which sits alongside a host microcontroller and provides key storage that is protected from attacks including physical tampering – and also includes the necessary crypto-processing logic.
To this, Trust Platform adds all of the infrastructure necessary for it to operate across the internet with end-to-end security, including secure manufacture at a Microchip site.
It has three options:
Trust&Go
- 10 units minimum
- two fixed applications:
automated cloud authentication
automated LoRaWAN authentication
Automated cloud authentication uses ‘transport layer security’ (TLS) for connecting to any IP-based network using any certificate chain (same device certificate across multiple accounts). Google Cloud Platform, Amazon Web Services, or a private cloud are covered, with other cloud choices planned.
Automated LoRaWAN authentication is compatible with services from either The Things Industries (TTI) or Actility.
Credentials are pre-programmed into the ATECC608A and shipped to the customer.
In parallel, corresponding certificates and public keys are delivered in a ‘manifest file’ – downloadable via Microchip’s on-line store and some distributors.
TrustFlex
- 2,000 units minimum
- Adds a smorgasbord of functions to the above two use-cases
The customer can use their own certificate authority of choice, and can pick from pre-configured use cases including the above two, secure boot, over-the-air (OTA) updates, IP protection, user data protection and key rotation.
“This reduces the time and complexity involved in customising the device without requiring customised part numbers,” according to Microchip.
TrustCustom
- 4,000 units minimum
- Starts with a blank device and allows complete customisation
This provides customer-specific configuration capabilities and custom credential provisioning – the customer sends its information to Microchip for automatic secure inclusion into the ATECC608A production run. Data is only finally un-wrapped for programming inside a secure programming machine at Microchip’s factory. “Microchip’s secure manufacturing facilities safely provision keys, ensuring that keys are never exposed to any party during provisioning or the lifetime of the device,” it said.
Partnership
Microchip worked with Amazon Web Services (AWS) to create a simplified route into AWS IoT services for products designed using all three variants of Microchip’s Trust Platform.
The hardware element – the ATECC608A – provides secure key storage rated ‘high’ by the Common Criteria Joint Interpretation Library (JIL).
“With hardware-based root of trust storage and cryptographic countermeasures, the device protects against the widest classes of known physical attacks,” said Microchip.
For the uninitiated, the firm as developed on-line education resources to describe how security should work.
For prototyping, there are the Trust Platform Design Suite and hardware boards:
- Guided use-case tool
- Executable Python tutorials running on Jupyter notebooks
- Examples for each use case in C
- ‘Secret exchange’ utility
- CryptoAuth Trust Platform kit
- ATECC608a Trust Platform kit – includes chips for Trust&Go, TrustFlex and TrustCustom.
Parts
Trust&Go for TLS
ATECC608A-TNGTLSx-B MOQ=10
ATECC608A-TNGTLSx-G MOQ=2,000
Trust&Go for LoRaWAN (MOQ=10)
ATECC608A-TNGLORAx-B The Things Industries
ATECC608A-TNGACTU-B Actility
TrustFlex
ATECC608A-TFLXLORAx for LoRaWAN, any join servers
ATECC608A-TFLXTLSx for TLS
TrustCustom
ATECC608A-TCSTMx
Packaging
x = U for uDFN
x = S for SO8
