Microchip logo
  • All
  • Products
  • Documents
  • Applications Notes

Trust&GO ATECC608A Secure Element for AWS IoT Core Secure Authentication

Leverage the Simplicity of Generic Certificate Authentication

When it comes to IoT security, authentication is one of the foundational concepts that should be implemented first in your design. The trust between the device identity and the cloud platform relies on a chain of trust. AWS IoT Core supports generic certificate-based authentication, but the trust in the device identity will depend entirely on how well the device’s private key is protected. If the private key is spoofed, the device can be impersonated by an unauthorized user who can then control the device’s transactions. However, adding authentication presents you with several challenges: securely storing the private key in the device, shipping the private key across the globe for any project and system size, creating a possibly cost-prohibitive chain of trust and ensuring a secure manufacturing flow. These challenges can be addressed by using the Trust&GO ATECC608A-TNGTLS secure element from our Trust Platform family of solutions on AWS IoT Core.

Defining a secure authentication model without expertise can be a daunting task. Finding and implementing a certificate authority provider to securely provision keys increases the cost and complexity of your project. The Trust&GO ATECC608A-TNGTLS comes pre-configured and pre-provisioned with a generic certificate for thumbprint authentication and key to significantly reduce costs and simplify your development. On the cloud side, the AWS IoT Core architecture offers you a simple Application Programming Interface (API) to implement generic certificate-based authentication called Multi-Account Registration. Since the implementation relies only on a single certificate layer, the controller code is extremely streamlined. A signature is issued using the private key in the secure element based on a challenge issued from the cloud. The controller uses the CryptoAuthLib™ library APIs to trigger the signature that will be verified by the generic certificate. The corresponding generic certificate is provided in a manifest file downloadable from our online store after the devices have shipped.

At the device level, our ATECC608A-TNGTLS provides a JIL “high” rated secure key storage to isolate keys in the nodes. This is especially valuable in TLS networks that are based on a certificate security model and leverage a wide variety of traditional low-power microcontrollers (MCUs).

Benefits of Using the Trust&GO ATECC608A with AWS IoT Core:

  • Pre-configured device and pre-provisioned private key
  • Create secure authentication to IoT devices powered by AWS IoT Core
  • Benefit from the scalability of AWS IoT Multi-Account Registration
  • Leverage the simplicity of generic certificate authentication
  • Implement a unique, trusted, protected and managed device identity
  • Turn-key code examples available for 32-bit microcontrollers
  • Leverage Microchip’s secure provisioning service
  • Simplify logistics of shipping private keys and reduce manufacturing costs
  • Microcontroller-agnostic implementation
  • JIL rated “high” secure key storage
  • Protection against known tamper, side-channel attacks
AWS_DeviceQualification_LogoLockup_iot_500px ATECC608A

Trust&GO ATECC608A-TNGTLS Features:

Each of the device slots are pre-configured and pre-provisioned to offer the following use cases:

  • Generic Certificate Authentication: Use the default generic certificates for thumbprint authentication already locked inside the Trust&GO device; the cloud architecture will not need to use a root certificate to verify the thumbprint certificate, but the server will have to be set up to implement this policy.
  • Token Authentication: Leverage a private key to perform an Elliptic Curve Digital Signature Algorithm (ECDSA) sign operation on a token that will be verified by its corresponding public key somewhere else in the network.
  • Secure Boot (with key attestation): Perform an ECDSA verification at boot using a public key corresponding to a private key used to sign the code that the system will boot from. The public key becomes highly sensitive as it will allow a system to boot. The public key that will need to be inside the device is not in the device at time of purchase. It will have to be loaded separately.

Visit the ATECC608A-TNGTLS product page to learn more about the device’s features.

Ready to Get Started with Trust&GO and AWS IoT Core?

Just follow these steps:

Step 1: Download the data sheet.


Step 2: Buy the Trust Platform hardware featuring an Arm® Cortex®-M0+ based SAM D21 MCU and our WINC1500 Wi-Fi® IoT network controller.

Step 3: As you work with the development kit, use the tutorial and code example and create the manifest file using the Trust Platform Design Suite, available for Windows® and macOS® operating systems.

Step 4: Once the C code for the secure element is working in your embedded application, you are ready to go to production. Order the pre-provisioned devices and download the manifest file from our online store or from our distribution partners. Upload the list of public credentials in the AWS IoT Core environment.

Step 5: Read more about the AWS IoT Multi-Account Registration and request a registration to access the API.