AWS IoT Greengrass Hardware Security Interface (HSI)

For the ATECC608A Secure Element

When it comes to IoT security, private keys are the most sensitive material. If a private key is accessed by an unintended party, that person can now impersonate the IoT hardware and undertake undesired or malicious operations. Because of this, the most basic security practice to follow is to implement a secured hardware root of trust to remove exposure of private keys to software, firmware, manufacturing sites, end users or other third parties. Microchip’s ATECC608A secure element provides a JIL “high” rated secure key storage area to isolate keys. This is especially valuable in Linux^® environments where software is a living entity and software backdoors to keys are likely to show up.

To further help adding hardware secure key storage, Amazon Web Service (AWS) offers IoT Greengrass Hardware Security Integration as part of its IoT Greengrass Core software. It is an interface between the IoT Greengrass Core and a hardware secure module based on PKCS#11. The ATECC608A is used in this implementation as the hardware secure key storage to isolate private keys needed for the authentication between AWS IoT and AWS IoT Greengrass from the Linux-based system enabled with IoT Greengrass. This microprocessor-agnostic solution adds true hardware secure key storage to any Linux-based IoT products. The ATEC608a is now part of the AWS Device Qualification Program supporting AWS IoT Greengrass.

Benefits of using the AWS IoT Greengrass Hardware Security Integration:

Leverage secure elements for AWS IoT Greengrass ecosystems
Provide a unique, trusted and protected identity
Optimum hardware security with secure key storage

Use standard PKCS#11 interface
Anti-tampering protection
Side-channel attack protections
JIL rated “high” secure key storage

Open User Manual Read AWS Partner Network (APN) Blog Tutorial ATECC608A-UDFN-8

What is a PKCS#11 interface?

PKCS#11 is part of the Public Key Cryptography Standard (PKCS). To put it simply, it’s an interface or API that defines the communication between a controller (microcontroller or microprocessor) and a Hardware Secure Module (HSM). The ATECC608A is the HSM in the IoT Greengrass Hardware Security Integration.

What’s the Importance of Secure Hardware Key Storage?

Security if often mistaken with encryption. Encryption alone doesn’t solve security. It’s not either because a key is encrypted and stored that the system can be secure as firmware and software bugs will always exists. Bugs are a natural part of coding. In addition, there is another considerable attack surface to consider during the manufacturing process where keys and other cryptographic assets can be severely exposed to employees and equipment. All these backdoors are attack surface to spoof a private key. The usage an ATECC608a secure element combined with Microchip’s provisioning service will help to reduce significantly the exposure of your keys from software, firmware, manufacturing, third-party companies and users. The ATECC608a is equipped with active anti-tampering protections as well as side attack channel protections. All of the cryptographic function involved with the key are all in the same secure boundary that the secure element. That architecture combined with any microprocessors or microcontroller reduces backdoors to keys at a very affordable cost for a high grade of security. The ATECC608a has been rated JIL “High” demonstrating its high robustness on protecting keys.

How does IoT Greengrass Hardware Security Integration work?

There are two authenticated links that IoT Greengrass Hardware Security Integration will look in for a signature:

The authentication between the IoT Greengrass Core to AWS IoT
The authentication from the IoT Greengrass Core to the IoT edge node connected to the gateway.

Both authentication paths are relying on a mutual TLS1.2 protocol. Consequently, the system could require two private keys to address the two authentication links, one for each. Alternatively, a single private key can be used to authenticate both links. The choice will depend on the application and the security model decided on by the designer. The IoT edge node will still require having its own private key to be stored in a secure element like the ATECC608A within the end-node itself.

Learn more about secure authentication for AWS IoT edge nodes Read this tutorial on the AWS Partner Network (APN) Blog

The scalable IoT Greengrass Hardware Security Integration relies on a PKCS#11 interface. This architecture makes the usage of a secure element very portable from one Linux-based design to another, saving significant development time and accelerating time to market.

Start Developing Your IoT Greengrass Hardware Security Integration Solution

Step one: Buy the “Secure 4 click” and the adapter that already includes the ATECC608a and the Raspberry Pi to MikroBUS™ adapter from MikroElektronika.
Step two: Procure a Linux system such as a Raspberry Pi (example documented) or a Microchip SAMA5Dx MPU.
Step three: Go to the user manual hosted on GitHub and start implementing the ATECC608A secure element within your IoT Greengrass-enabled system.
Step four: Use AWS IoT Greengrass documentation to get started with IoT Greengrass and deploy IoT Greengrass Core software to your device. Follow directions for making changes to your config.json file to use the ATECC608A private key.
- Benefit from strong authentication between AWS IoT Core and AWS IoT Greengrass with secure key storage.