Trusted and Secure Authentication with ATECC608A for AWS IoT

Why would you harden your IoT Security with the ATECC608A for AWS IoT?

Watch Getting Started Video Buy the AWS IoT Kit for ATECC608A AWS_DeviceQualification_LogoLockup_iot_500px

This solution is archived and will no longer be updated. We recommend that you use the TrustFLEX ATECC608B-TFLXTLS for AWS IoT Core instead.

Securing communication with a Cloud service and manipulating keys comes with many challenges: storing and using keys in the microcontroller exposes them, operating systems and software have bugs, the Heartbleed bug for OpenSSL was notable by easily exposing keys. Consequently, governments and corporations across the globe are working to protect individual identities and privacy. Strong authentication is the start of robust security. This leads cloud providers to push towards hardware-based security to obtain strong device identity protection, prevent identity spoofing, but also to protect against unauthorized firmware updates and prevent proliferation.

An easy way to hack an IoT device today is to physically attack the embedded system and spoof the private key which is likely located in the clear of a microcontroller memory. But hacking a single device or transaction is typically not of value to an attacker. Hackers are looking for weaknesses that will enable them to exploit a large number of connected devices. Once the keys are spoofed, the devices are accessed, a scalable remote attack can be launched leveraging the corrupted IoT devices as entry points

Update the Zero Touch provisioning Kit version B using the ATECC608A

Simply use the new CryptoAuth XPRO-B board.

What about the ATECC608A for AWS IoT? you may ask. Based on the Zero Touch provisioning kit (version B) for AWS IoT hardware, you can simply swap the red CryptoAuth-XPRO board to the CryptoAuth-XPRO-B board that includes now the ATECC608A or use one of the socketed AT88CKSCKTUDFN-XPRO add-on boards with your device package of choice.

What remains identical compared to the ATECC508A for AWS IoT? The overall hardware is still using the ATWINC1500 Wifi, the ATSAMG55 (Cortex-M4) running FreeRTOS and the OLED display board . The TLS is still leveraging the integrated one from the ATWINC1500 provided by Microchip. The AWS IoT setup is also identical.

What is different from the ATECC508A then? The ATECC608A doesn't come preconfigured on the CryptoAuth-XPRO-B board. During the "getting started" procedure, the firmware update necessary to upgrade to the ATECC608A will configure the secure element as part of the process. One of the main added value of the ATECC608A is to enable secure boot capabilities for light embedded systems (illustrated separately). The RNG has been upgraded and an AES hardware accelerator is integrated.

The AT88CKECC-AWS-XSTK-B kit for AWS IoT has been designed to help the engineer starting to prototype and learn the basics of secure provisioning. The secure element is pre-configured but not provisioned with keys out of the box. The Python based scripts are here to guide the user through the steps of provisioning and illustrate the process their company will go through when implementing certificate based authentication in a production environment. Once the kit is provisioned, it provides a unique, trusted and protected identity.

20 Years of Experience in Secure Provisioning

Microchip is here the all way through.

Trust cannot rely only on the device but also on the manufacturing process. Exploiting third party weaknesses is one of the top targets for hackers. Isolating keys and secrets from manufacturing is equally vital. Customers can leave this burden to Microchip's secure factories and leverage our trusted provisioning service already used by thousands of companies. It's zero touch, the private keys are never exposed.

Prototype

Educate yourself about the AWS IoT Security model
Understand why private key isolation is vital to your design
Learn how to code with CryptoAuthLib library
Learn how to configure the ATECC608A memory zone and set your expected policies
Learn the basics of provisioning a secure element

Learn More

Personalize

Memory configuration is defined and locked
Your Certificate Authority is decided
AWS IoT production account is configured with AWS
Secret Exchange with Microchip completed
The ATECC608A is setup with your customized part number

Learn More

Mass Production

All the provisioning – keys/certificates generation and manipulation is done within Microchip secure factories
Keys are internally generated and never exposed to the outside world
Elimination of any software or manufacturing backdoors
The device ships pre-provisioned with the secrets

Learn More

Tools and Software

Access the code on GitHub HERE including the provisioning scripts for the ATECC608A (Python based) and the AWS IoT account setup scripts (using CloudFormation from AWS)
Buy the kit: https://www.microchipdirect.com/product/search/all/ATECC608aAWSIoT
AT88CKSCKTUDFN-XPRO add-on board (remember to order)
Firmware to upgrade from ATECC508A to ATECC608A is illustrated in the link to the GitHub repo above

Getting Started - http://microchipdeveloper.com/iot:ztpk

AWS IoT Core Secure Authentication with JITR Tutorial Video: Guides you through the complete onboarding process -
https://www.youtube.com/watch?v=kvjYcPNSmoo